Author Archives: privacynewshighlights

16-31 October 2014

Biometrics

US – Court: Police Can Compel Defendants to Give Up Fingerprints but Not Passwords

A circuit court judge has ruled that defendants can be compelled to give up fingerprints but not passwords to law enforcement in cell-phone search cases. Judge Steven C. Frucci said that disclosing a fingerprint is like giving up one’s DNA or handwriting sample and thus not a violation of the Fifth Amendment protecting against self-incrimination. However, a password requires defendants to share knowledge, which is protected by the Fifth Amendment. Last year, privacy advocate and lawyer Marcia Hofmann predicted that Apple’s fingerprint ID could mean that users would not be able to plead the Fifth in cellphone search cases. [The Virginian-Pilot]

WW – This MasterCard with a built-in fingerprint sensor is coming in 2015

MasterCard has announced the world’s first contactless payment card that uses your fingerprint to authenticate payments. It’s partnered with Zwipe, the company behind this biometric technology, on a card that will only permit charges if your thumb is resting on the built-in sensor. You can wave it near an NFC reader for contactless payments, and it’s also fully compatible with chip terminals. Fingerprint data is all stored locally inside the card’s secure element and is never transmitted to MasterCard. And since biometric authentication obviates any need to enter a PIN, Zwipe says this is fundamentally more secure than the chip and PIN system. The company already ran a pilot with Norway’s Sparebanken DIN bank, but the prototype card used was far from perfect. It had a battery inside, which made it a bit more unwieldy compared to your everyday plastic. [Source]

AU – Opposition Grows to Storage of Photo and Biometric Data

Photographs of millions of Australians will be stored by the Immigration Department, and this “biometric data” gathering could extend to fingerprinting and iris scanning under the Abbott government’s controversial counterterrorism laws. The “foreign fighters” bill means there will be a major expansion of facial recognition imaging of Australians passing through international airports in a crackdown on passport fraud that could eventually apply to a wide range of biometric data – which could be shared with other government agencies. Critics say the danger of such information being hacked is profound, given many personal electronic devices are now secured by fingerprints and iris scans. The sheer scale of the personal information that would stream into the government’s databanks is set to open one of the first fissures in the largely bipartisan approach to national security, with Labor warning that the legislation poses a danger to privacy. [Source]

Canada

CA – Legislative News Roundup

Canada Introduces New Anti-Terror Legislation After Ottawa Attacks C-44: [Canada’s Public Safety Minister Steven Blaney introduced Bill C-44, which would broaden the powers of CSIS including authorizing Canadian spies abroad to break the laws of a foreign country when investigating threats to the security of Canada] | S-4: [The Canadian House of Commons is discussing Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act to include mandatory breach notification provisions] [Canada’s House of Commons Industry Committee will now review Bill S-4, the Digital Privacy Act] and [Canada Mulls Mandatory Data Breach Notifications] | C-13 [Canadian Justice Minister Peter MacKay is getting criticism from both parties over Bill C-13, also known as the cyberbullying bill] and AB PIPA [Alberta has “formally filed” a motion to extend the deadline for the province to amend its Personal Information Protection Act (PIPA) with the Supreme Court] [Tighter privacy laws were among the issues highlighted by the Saskatchewan government in last week’s throne speech] and finally: Canada’s Conservatives’ latest budget bill includes the creation of a national missing persons’ DNA databank] [November 1st – 10th Anniversary of PHIPA] and finally: [CASL Enforcement: Much Ado About Nothing]

CA – Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures

Privacy and Information Commissioners of Canada attending their annual meeting noted with sadness last week’s events in Saint-Jean-sur-Richelieu, Quebec, and in Ottawa, Ontario. “The following days, weeks and months will be critical in determining the future course of action to ensure not only that Canada remains a safe country, but also that our fundamental rights and freedoms are upheld. Legislative changes being contemplated may alter the powers of intelligence and law enforcement agencies. We acknowledge that security is essential to maintaining our democratic rights. At the same time, the response to such events must be measured and proportionate, and crafted so as to preserve our democratic values. To that end, the Privacy and Information Commissioners of Canada call on the federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

Canadians both expect and are entitled to equal protection for their privacy and access rights and for their security. We must uphold these fundamental rights that lie at the heart of Canada’s democracy. The statement is available on the website of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada. [Source]

CA – Ruling Prevented Sharing of Data on Men Who Killed Soldiers

Canada didn’t share “some intelligence” with the U.S. about the two men who committed fatal acts last week because of a 2013 court ruling limiting the transfer of personal data, according to a Canadian official. U.S. authorities knew little about Michael Zehaf-Bibeau or Martin Roulou, who each killed a solider last week in Canada. A court ruling last year said the Canadian Intelligence Service was breaking privacy laws by passing data about Canadian citizens to the “Five Eyes” intelligence-sharing network, comprising Canada, the U.S., Australia, New Zealand and the UK. [Reuters] See also: [The Canadian Forces Counter Intelligence Unit has issued a new directive regarding social media practices in the wake of last month’s attacks]

CA – Classroom Behavior App Has Commissioners Worried

Privacy commissioners in Canada are concerned about a new computer program, increasingly used in Canadian schools, that collects and stores information about the in-class behavior of students. ClassDojo allows teachers to assign or deduct points for students based on their behavior, creating a competition for the best behavior among classmates and allowing parents to monitor how their kids are doing in real time. ClassDojo collects information on 53 million students globally on a minute-by-minute basis and stores it on a private company’s servers in the U.S. that is not subject to Canadian privacy laws, the report states. [Ottawa Citizen] See also: [Toronto: Rate My Classmate site meant to call out group-project slackers] and [Canadian university athletes must waive privacy to play: CIS] and [If a teacher’s decades-old erotic films can resurface online, what rights should we have to digital privacy?]

CA – Privacy Commissioner Issues Annual Report, MetaData Research Paper

The Office of the Privacy Commissioner (OPC) has released its annual report and a privacy research paper entitled Metadata and Privacy: A Technical and Legal Overview. See also: [Dentons Bernier Shares Tips from a Former Privacy Regulator]

CA – Alberta Privacy Commissioner Worried About Calgary Police Service’s Body-Worn Camera Plans

Growing worries over the Calgary Police Service’s plans to equip 550 officers with body cameras forced Jill Clayton, Alberta’s privacy commissioner, to voice concerns in a letter to Chief Rick Hanson. In September, deputy police Chief Trevor Daroux told Metro his pilot program ran through 2012 to 2013, recorded 2,700 videos and helped in 32 criminal cases. After completing the project, CPS announced they would move forward with body-worn cameras in 2015. This announcement sparked privacy concerns from the public and a civil liberty group. Clayton told Metro she was concerned about the project because she hasn’t heard from anyone at CPS. In her letter, which was later posted the her website, Clayton urges CPS to file a Privacy Impact Assessment. This report would address the CPS’s ability to handle the endless amounts of private information they would gather from using body-worn cameras. Though not required, she has been lobbying for legislation to make PIAs mandatory. [Source]

Consumer

US – Study Finds Discriminatory Pricing “Much More Widespread”

A new study of top e-commerce websites has found “price steering”—when companies use consumer profiles to personalize prices—is much more widespread than previously understood. The study, which was conducted by a team of computer scientists at Northeastern University, tracked searches on 16 popular e-commerce sites and found six of the sites used the pricing technique but none alerted consumers of it. [The Wall Street Journal]

US – Vladeck, Calo Examine Digital Marketing Manipulation

David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection, discusses a recent article by Prof. Ryan Calo in which Calo writes about the potential for digital marketing to manipulate consumer choice. Vladeck writes that Calo’s “arguments are powerful and persuasive” but suggests the risks might be “less pronounced” than Calo asserts, noting there are ways “regulators are already responding to the risks that manipulative digital advertising poses to consumers.” Reiterating that any disagreements he has with Calo’s article are “gentle caveats,” Vladeck concludes that Calo “has responsibly sounded an alarm to prompt regulators into action.” [The George Washington University Law Review]

WW – Study Spotlights PII Collection, Impact on Consumer Behavior

LexisNexis Risk Solutions has released a study focusing on why industries collect, store and process personally identifiable information (PII) and its corresponding effect on consumer behavior. The study surveyed more than 3,000 consumers regarding their willingness to share their PII in low, medium and high-risk transactions, and the study also interviewed 22 executives in the financial, healthcare, retail and government sectors to reveal how each uses PII for identity verification. LexisNexis Risk Solutions VP Dennis Becker said, “Organizations need to be cognizant of how consumers’ fears and experiences affect their willingness to share sensitive data and seek ways to minimize the amount of personal information being requested.” [BusinessWire] One survey has found nearly half of holiday shoppers said they will not shop at stores that have been hacked. See also: [Nico Sell of Wickr: Privacy Is the New Fame]

E-Mail

WW – Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse

Facebook and Yahoo are taking steps to prevent users of recycled email addresses from taking control of other accounts. When Yahoo began recycling email addresses last year, critics were concerned that the information could be used to change passwords on accounts that used the old email address for password change confirmation, and that the new email user could possibly receive sensitive messages intended for the former user. Yahoo and Facebook have together developed a mechanism for preventing such abuse. Using Simple Mail Transfer Protocol (STMP), sensitive email messages will include a field within the header that notes the date since the sender has known the address. If the address is determined to have changed ownership since that date, the message will not be delivered. [ComputerWorld] [WIRED] See also: [After Nova Peris and Barry Spurr, should we all give up on email in the name of privacy?]

WW – Mobile ISP Cricket was Thwarting Encrypted Emails, Researchers Find

Engineers from digital security and privacy firm Golden Frog found some customers of Cricket, a prepaid mobile company, were prevented from sending encrypted emails for months. The findings were shared with the FCC and released in a media report earlier this month, but without the company’s name, the report states. “Golden Frog said that Cricket customers were unable to send encrypted messages and said its testing found that the problem ended shortly after the TechDirt article was published,” the report states. “It is unclear how long or how many customers were affected.” [The Washington Post] See also: [Mondaq looks at Canada’s Anti-Spam Law provisions “concerning the distribution and installation of computer programs,” suggesting they should “be of particular concern to all businesses who distribute or intend on distributing software either alone or as part of their product or service offerings.”]

Encryption

WW – China Using Phony Apple Certificate to Snoop on iCloud

A group that monitors Chinese government censorship, GreatFire.org, says that censors in China are conducting man-in-the-middle attacks on Apple’s iCloud in that country. Technical information suggests that a phony Apple certificate is being used to intercept the traffic. [GreatFire] [ArsTechnica] [InformationWeek] [v3.co.uk] [ComputerWorld] See also: [Apple Chief Vouches for China’s Pro-Privacy Stance

WW – Apple Issues iCloud Security Advisory

Apple has issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud and that they should never enter login information into websites that present certificate warnings. [Apple] [TheRegister] [CSMonitor] [v3.co.uk] [Adobe eReader now using SSL to phone home] [Analysis of Samsung KNOX] See also: T-Mobile is “quietly” hardening its network to a more sophisticated form of encryption, making it more difficult for bulk surveillance

WW – Apple to Stop Using SSL 3.0 for Push Notifications

Apple plans to stop using the Secure Sockets Layer 3.0 (SSL 3.0) encryption standard for its Apple Push Notification service following the disclosure of a vulnerability. Developers have until October 29 to update their apps. More information on the SSL 3.0 flaw can be found here and [ZDNet] [CNET]

EU Developments

EU – Parliament Approves New Commission

President-Elect Jean Claude Juncker has secured confirmation for his new European Commission with 423 Members of the European Parliament voting in favor and 209 voting against. Juncker said the commission will focus on digital matters. Harmonizing tech-related policy and laws across the EU will be the responsibility of two new commissioners, Andrus Ansip and Günther Oettinger, who will replace outgoing Commissioner for the Digital Agenda Neelie Kroes. And Access has published an extensive look at the incoming group of EU commissioners, suggesting, “In the five years ahead a certain number of these incoming commissioners will have a huge influence on digital rights and security issues that impact the lives of European citizens and, indirectly, the rest of the world.” [EurActiv] [Germany’s government is calling for “EU-wide retention of flight passenger data to combat the risk of terror,” and that move is “sparking opposition in the European Parliament.”] [During a meeting in Luxembourg, EU justice ministers for the first time “sounded out their political views on the balance between the right to be forgotten and the right to know“][The parliamentary committee in Italy’s Chamber of Deputies has published the initial draft of an “Internet Bill of Rights” it has been working on since August] [The ICO has updated its code of practice for surveillance cameras and personal information, cautioning that surveillance cameras “must only be used as necessary and proportionate to address real and pressing concerns.”] [The Paris Court of First Instance has found for the plaintiffs in a suit on the right to be forgotten]

EU – Commission to Focus on Data Protection

As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. Data protection will be a key area of focus. “The EU hopes that the legislative package, which has always had the complete support of the European Parliament, will be adopted in 2015,” the report starts, citing the European Commission Director for Fundamental Rights and Union Citizenship Paul Nemitz as indicating “if the political will exists, the council will adopt the package.” As Nemitz put it, “This reform will pave the way for a digital age with a fair competitive environment for European SMEs.” [EurActiv] See also: [Hogan Lovells Partner Eduardo Ustaran writes in a blog post, “2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years.”] and [UK: Coming Down The Tracks: The Legislation That Will Make Data Protection Law Even Worse!] and [Hunton & Williams’ Privacy and Information Security Law Blog examines the Council of the EU’s proposed revisions to the compliance obligations of data controllers and data processors and the risk-based approach to compliance] [Christian Wiese Svanberg of Plesner Law Firm offers an overview of the recent EU Council of Ministers discussions on the proposed data protection regulation, noting “the reform now appears unstoppable, and fundamental changes to the scope and legal form of the proposal are becoming increasingly unlikely.”] [Christian Wiese Svanberg offers an overview of the EU Council of Ministers’ discussions of the proposed General Data Protection Regulation and the highly debated right to be forgotten] [Olivier Proust writes about the “burdensome exercise” that is notifying data protection authorities of data processing, noting it is still necessary.]

EU – No Details Being Shared on the DPC’s “Significant” LinkedIn Audit

The Office of the Data Protection Commissioner’s (DPC) has issued a “raft of ‘significant’ recommendations” last month for LinkedIn to improve the privacy of its 1.2 million Irish users. “The recommendations, delivered on behalf of all European citizens, represent the culmination of a year-long investigation,” the report states, noting the DPC “is not releasing any details of those ‘significant’ recommendations. Nor is it indicating what problems it may have discovered in relation to how LinkedIn treats our personal information.” The reason, a DPC spokeswoman explains, is that it is up to organizations “to decide whether to publish an audit report carried out by this office.” The report states LinkedIn has declined to share the findings of the audit. [Independent.ie] See also: [While it hasn’t yet received the increase funding expected, the Irish Office of the Data Protection Commissioner is getting a “range of measures designed to strengthen the office“]

EU – Amazon Web Services Opens German Location to Quell Privacy Concerns

Confirming a report from this summer, Amazon Web Services has opened a location in Frankfurt, Germany. The move is designed to help diminish the post-Snowden privacy concerns of Europeans, especially Germans. Gartner Research Director Gregor Petri said, “The customers who are the hardest to convince to move workloads out of the country are mostly from Germany.” Forrester Research’s Stefan Ried said, “With the announcement, Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers but also gets more credibility with the usually more conservative CIOs across Europe.” [PCWorld] see also: [A German court wants clarification from the European Court of Justice on whether dynamic IP addresses constitute private data] See also: [UK: GCHQ’s outgoing director warns spies must monitor the internet]

Facts & Stats

WW – Attacks Up 48%; Data Security Legal Practice Booming

A new PricewaterhouseCoopers (PwC) study reveals that the number of detected cyber-attacks has gone up 48% since 2013. There will be approximately 42.8 million cyber-attacks this year alone, or about 117,339 attacks per day. The study notes, “It is no surprise to find that as the number of information-security incidents continues to mount, so do financial losses.” Meanwhile, corporate “legal spending on cybersecurity and data privacy issues is expected to grow at the highest rate of any practice area in 2015, as clients look to ramp up their efforts to address the increasingly prevalent and sophisticated threats to the sensitive data they hold.” Plus, New York’s banking regulator says law firms, as a vendor, need to be carefully watched to develop strong data security practices. [The Hill]

Filtering

WW – Google Changes Search Algorithm to Help Fight Piracy

Google made changes to its search algorithm that have had a noticeable effect on the number of video streaming and torrent sites that appear at the tops of results. Visibility of many sites known to offer pirated content has been significantly reduced. [Ars Technica] See also: [Montreal woman wins cash from Google for Street View cleavage]

WW – Survey Shows Orgs Disable Firewall to Improve Network Performance

According to a report from McAfee, while 60% of 504 surveyed IT professionals say security is paramount in network design, about 30% of organizations responding to the survey said that firewall security features are often disabled to boost network performance. McAfee senior director of network security Jennifer Geisler noted that “the way most firewalls are designed, it forces the trade-off so this is not a negative reflection on the administrator.” [Source]

Finance

US – Obama Signs Federal Card Security Order; MasterCard Unveils Biometric Cards; Apple Pay Available Today

President Barack Obama has signed an Executive Order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit. Starting in January, federal credit cards will use chip-and-PIN technology, and the White House said that Home Depot, Target, Walgreen and Wal-Mart will roll out chip-and-PIN-compatible terminals in all stores by January. Obama also called on Congress to enact data breach notification legislation, but that won’t happen this year. [Reuters] MasterCard announced it will introduce built-in fingerprint sensors for contactless payment cards in 2015. Starting this month, Apple Pay will work with iPhone 6 devices. [President Barack Obama signed an executive order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit, Reuters reports] [The U.S. Consumer Financial Protection Bureau finalized a rule allowing certain financial institutions to post annual privacy notices online rather than by paper delivery] and [In a filing with the FCC, the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act, a 23-year-old law that requires consumers’ consent to being called on their mobile phones] and [The California Superior Court has ordered Bank of America to turn over call recordings made with borrowers during the period of the Excessive Forbearance Remediation Project in 2013, subject to the Privacy Notice]

US – PCI Issues Security Awareness Guidance

PCI leaders have for months stressed the need for merchants to implement more structured employee education programs around data security. Now the PCI Security Standards Council has outlined just how it expects businesses that handle card data to address employee education. In a 28-page supplement to security awareness program best practices, the council reiterates that continuing employee education about how to detect and mitigate data security risks is a PCI compliance requirement. Three key points noted in the guidance include:

  • The need to assemble a security awareness team, which is responsible for the development, delivery and maintenance of the security awareness program;
  • Why developing security awareness content for the business plays a critical role in developing appropriate content and training information; and
  • How business can use security-awareness checklists to monitor and security awareness training programs.

The guidance’s appendix also includes a detailed checklist with specific compliance recommendations for each of the PCI-DSS requirements included in version 3.0. While this guidance is directed at requirement 12.6, which deals with information security policies and awareness programs, it touches on a range of security best practices – a comprehensive take on PCI compliance that industry security experts agree is needed. [Bank Information Security]

WW – Home Depot Breach Costs Twice Target’s

A new survey reveals that credit unions spent $60 million after the data breach at Home Depot last September, a cost that is more than double that of Target’s. The Credit Union National Association (CUNA) survey noted that 7.2 million consumer cards at credit unions were affected, and that, on average, it costs $8.02 to reissue a card. CUNA’s president and CEO said, “The bottom line is that credit union members end up paying the costs—despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.” Retail groups pushed back in a letter sent to CUNA. “Even after absorbing substantial fraud losses,” the letter stated, “merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.” [The Hill]

WW – Coalition Launches Bitcoin Principles; EFF Aims to Stop NY Bitcoin Rules

A coalition of cryptocurrency companies has endorsed a new principles-based framework aimed at bolstering identity security, trust and access to a shared data Internet. The initiative was spearheaded by the institute for Data Driven Design out of the MIT Media Lab, and the resources—called the Windhover Principles—are being implemented on an open source platform, the report states. “The Windhover Principles for Digital Identity and Trust are deeply rooted in the belief that individuals should have control of their digital personal identities and personal data,” an announcement said. “Underlying this core value is the principle of ensuring innovation in trust and privacy.” Meanwhile, the Electronic Frontier Foundation has launched a “Stop the BitLicense” initiative, arguing New York’s proposed Bitcoin rules could threaten privacy rights. [InsideBitcoins] See also: [India: Swiss authority willing to disclose info on black money:Centre]

FOI

CA – NB Ombudsman, Privacy Boss Call for More Open Government

Observers and officials are calling on Premier Brian Gallant to steer a cultural shift in New Brunswick’s civil service toward more transparency and less partisanship. The province’s Right to Information and Privacy Commissioner and the Ombudsman both say there needs to be a real change. A focus on government secrecy and partisanship in the civil service follows on some recent revelations:According to a poll commissioned by CBC News ahead of the Sept. 22 provincial election, New Brunswickers care more about transparency and integrity than they do about public education, taxation and shale gas. Residents have been largely left in the dark by their government on some major undertakings. Both the previous Liberal government’s move to sell NB Power and the Alward government’s forestry deal were criticized over secrecy. [Source] and also: [Alberta care homes fight to prevent release of financial reports]

CA – UPEI Student Union Wants University Included Under FOI Legislation

If a UPEI student wants information about the P.E.I. Sports Hall of Fame, they can file a freedom of information request and appeal a denied request. If that student wanted to do the same thing with their university, they would be out of luck. It’s a point UPEI student union president Lucas MacArthur made when he pitched the idea of including the university in Freedom of Information and Privacy Protection legislation to the education and innovation committee. MacArthur said P.E.I. is the only province that doesn’t include post-secondary institutions in its access to information law. The student union executives are meeting with Justice Minister Janice Sherry on Nov. 26 to discuss the issue. [Source] See also: [Toronto: School trustees not compelled to post details of expenses] and [Toronto school board trustees tampered with FOI request for expense reports, emails suggest]

Genetics

CA – Ottawa Proposes DNA Database

Ottawa is one step closer to creating a DNA-based national missing-persons tool it says will assist coroners and police in solving cases and identifying human remains – a victory for families who have long pressed for the database despite privacy concerns and funding obstacles. The proposed legislation, introduced in the Conservatives’ latest budget bill, is the culmination of more than a decade of advocacy by those calling for a system that can compare missing persons’ DNA with samples culled from unidentified human remains. Victims’ families say the national database will give them the comfort of knowing that if their missing loved one is in a morgue somewhere, at least they’ll know. The budget bill is aimed at creating a missing-persons index, a human-remains index and an index for relatives whose profiles may be valuable in locating loved ones or identifying remains. The new indexes will be housed within the RCMP’s National DNA Data Bank facility, which already holds a crime-scene index and a convicted-offenders index. The legislation says profiles uploaded to the missing-persons index and the human-remains index can be compared against those in the crime-scene index and the convicted-offenders index – a move that could set up a battle with the Office of the Privacy Commissioner, which said it doesn’t object to a missing-persons database so long as it’s tightly secured and independent from the criminal indexes. The Privacy Commissioner’s Office told The Globe and Mail it is reviewing the proposed amendments to the DNA Identification Act and will be looking closely at the relationship between the new indexes and the existing criminal ones. The Criminal Lawyers’ Association has also raised concerns about linking the various indexes, saying it’s possible an intentionally “missing” person’s DNA could innocently end up at a crime scene. The association argues police might then become aware of that person’s whereabouts, infringing on privacy rights. [Source] See also: [Nevada’s four-month-old law requiring DNA samples be taken form all individuals arrested for a felony has received little pushback]

Health / Medical

US – DHS ICS-CERT Investigating Medical Device Vulnerabilities

An unnamed official at the US Department of Homeland Security (DHS) said that the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating approximately two dozen cases of vulnerabilities in medical devices. While there have been no reported attacks exploiting these flaws, DHS is concerned that they could be exploited to cause heart implants and drug infusion pumps to malfunction. [ArsTechnica] [InformationWeek] [BBC] [SCMagazine] [IBT]

US – Federal Court Rules No HIPAA Violation in Malpractice Reform

A Florida federal appeals court recently ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act. A tort reform law, which was upheld by this decision, states that prospective plaintiffs must submit a written request that authorizes defendants to access health records and conduct ex parte interviews. Jeff Scott of the Florida Medical Association said, “The impact is: It’s going to level the playing field in medical malpractice cases by giving defendant physicians the same access to crucial expert witnesses that the plaintiff has.” [Health IT Security] See also: [A Florida court has ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act] and [Bloomberg BNA reports on the ambiguities that occur when the U.S. Health Insurance Portability and Accountability Act and the Telephone Consumer Protection Act intersect] See also [US: Potential Health Data Breach, Medical Records Fly off Truck] and [Hospital privacy violations rife in Ontario] and [Yellowknife woman’s psychiatric report lands in employer’s hands] and [Ford’s records accessed at second hospital]

US – Apple’s Ban on Sharing HealthKit Data with Advertisers OK by FTC

Apple’s decision to bar HealthKit app developers from sharing user data with brokers or advertisers was a “welcome move” to FTC Chairwoman Edith Ramirez, Re/code reports. “Steps like this are, I believe, critical to fostering consumer trust,” Ramirez said during a conference Monday on connected devices. “Consumers will enthusiastically invite the Internet of Things into their homes, cars and workplaces only if they are confident that they remain in control over their data,” she said. The FTC has been looking into whether the government needs to get more involved in how companies are using Internet of Things data, and Ramirez has noted concerns about how such data is protected from hackers. [ReCode] See also: [US: Medical Information More Valuable To Hackers Than Credit Card Numbers] and [Beware of gift iPads]

Horror Stories

CA – Federal Data Breaches Up Again

The number of data breaches reported to the federal privacy commissioner by bureaucrats increased, hitting a record high according to a new report. Privacy commissioner Daniel Therrien said in his annual report to Parliament that 228 data breaches across the federal government were reported for the 12 month period ending March 31. Human error accounted for just over two-thirds of those breaches. The number was more than twice the number reported for the previous fiscal year. As a result the commissioner’s office issued a four-page tip sheet with checklists on four controls for protecting against breaches. Physical controls, for example, stress the importance of protecting devices not in use by placing them in locked cabinets or in storage areas where access is restricted. Technological controls would include encryption or strong passwords, with training for employees in each. Imprinting serial numbers on devices so they can be tracked is another recommendation. So is using portable storage devices to store personal information only as a last resort. Personnel security controls include regular mandatory training about security and privacy, and monitoring the use of personal storage devices by employees to ensure policies and procedures are being followed. Also in the report, the privacy commissioner’s office said it wants to get a better idea of how bureaucrats use portable storage, so it has started to study how into 17 departments and agencies use the devices and whether they have implemented policies and adequate controls. It hopes to have the report done in the next year. [Source]

US – Staples Breached

Staples said its computer systems were compromised, affecting customers’ payment card information. The office supplier is working with law enforcement to determine the extent of the breach and has not revealed when the attack occurred, at which stores or how many customers were affected. The Massachusetts-based office supply store chain has contacted law enforcement. Information from sources at banks in the northeastern US suggest that the breach affects stores in Pennsylvania, New York, and New Jersey. [Krebs] [The New York Times] See also: [The personal information of nearly 100,000 people seeking their high school transcripts was recently exposed on a site that helps students obtain their records] and [Canada: Staples investigating potential security breach of credit cards]

WW – D&T Report Offers Guidance for Determining Veracity of Data Leak Claims

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company’s password policy. [SC Magazine] [Krebs] [DarkReading] [Deloitte Report]

US – BBB Goes After Five Web Publishers for Lack of Enhanced Notice

The enforcement wing of the Better Business Bureau (BBB) has gone after five web publishers for not complying with the ad industry’s self-regulatory privacy guidelines. Answers Corporation, Best Buy, BuzzFeed, Go.com and Yelp have all agreed to revise their sites by offering “enhanced notice” on all pages where ad networks and other third parties collect information for use in targeted advertising. A spokesperson from Yelp said the company was contacted by the BBB’s enforcement unit in February, adding, “We immediately looked into whether any changes should be made to Yelp’s site and willingly made those minor updates.” Genie Barton, head of the BBB’s enforcement wing, said many web publishers appeared to be unaware of the self-regulatory principles. “We’ve done everything that we can to publicize it,” she added. [MediaPost] see also: [Librarians Are Dedicated to User Privacy. The Tech They Have to Use Is Not]

US – Employees of Fortune 500 Companies May Have Credentials Leaked

New research alleges that at 221 of the Fortune 500 companies, employees’ credentials are leaked online for hackers to access and use in cyber-attacks. Web intelligence firm Recorded Future said of the 600,000 websites that have posted users’ credentials from January 1 to October 8 of this year, 44 percent included a username-password combination from a Fortune 500 company. The leading industrial sectors affected include the financial sector and the retail/customer service vertical. Meanwhile, NetworkWorld reports on Voxis, a platform that allows cybercriminals to use stolen credit card data while avoiding fraud detection systems. Apple Pay competitor CurrenC, which is in beta, may have been breached, and cybersecurity firm IT Governance is urging U.S. organizations to implement ISO27001 to minimize data breach risk. [Mashable]

US – Hotel Company Files Complaint Against Insurer

InterContinental Hotels Group PLC has filed a complaint against Zurich American Insurance Co. “demanding coverage under two insurance policies for any potential losses that might result from a pending class-action accusing the hotel company of illegally recording customer service phone calls in California.” The class-action in question, which includes a potential class of 7,000 California residents, alleges Six Continents Hotels “recorded their calls to the company’s reservation hotline without their consent,” the report states. [Law360] See also: [Marketing Company Settles with Vermont AG]

Identity Issues

US – Report: Identity Fraud Surging

The Medical Identity Fraud Alliance’s new report, “The Growing Threat of Medical Identity Fraud: A Call to Action,” includes “several harrowing anonymous stories” as the number of medical data breaches continue to climb, Fortune reports. In fact, that number has quadrupled in the past five years fueled by “a decentralized U.S. health system, increasing digitization of records and demand in the black market,” the report states. “The crime itself can be very valuable to a cyber criminal or any criminal, even a low-tech criminal, and the reason is that the information contained in a medical record includes just about everything about you,” the Ponemon Institute’s Larry Ponemon said. [Source]

US – MyE-Verify to Use Cloud Services for Backend

The US Department of Homeland Security’s (DHS’s) MyE-Verify identity check tool allows people to place freezes on their Social Security numbers (SSNs). MyE-Verify has been available in some states since October 6 and is expected to be rolled out across the country by mid-2015. While DHS will operate the public facing website, the agency is looking for a cloud service provider to host the system’s backend. Here’s how the government describes Mye-Verify: “myE-Verify is a free, Web-based service that provides you with self-service features to participate in the E-Verify process. E-Verify is a Web-based system that enables an employer, using information reported on an employee’s Form I-9 for Employment Eligibility Verification, to determine if that employee is eligible to work in the United States. Many employers use E-Verify to verify the employment eligibility of their new employees.” [NextGov] See also: [850 voters in NYC are officially 164 years old]

US – Judge Finds Android IDs Are Not PII, Dismisses Cartoon Network Suit

A U.S. District Court judge has found that Cartoon Network (CN) doesn’t violate users’ privacy rights by transmitting the names of videos they view to analytics company Bango. Judge Thomas Thrash, Jr., dismissed a potential class-action lawsuit by an Android user alleging CN violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.” Thrash found Android IDs are not personally identifiable information, writing that although the randomly generated number is unique, “It is not, however, akin to a name. Without more, an Android ID does not identify a specific person.” [MediaPost]

US – LifeLock Introduces Consumer-Control Tool for Personal Information

LifeLock has announced it is beta-testing a new service that would allow consumers “to find and remove or suppress their personally identifiable information, such as name, address, age and known relatives, from selected common people-search websites and Internet-based advertising companies.” Called Lifelock Privacy Monitor, the free service “gives consumers better control of their privacy,” said LifeLock President Hilary Schneider, “and ultimately puts one more hurdle in the way of would-be identity thieves.” The company also recently conducted a survey that found 86% of consumers do not want their personal information sold by people-search websites and ad companies. [Source]

WW – Google Now Offering USB Key Security

Google is now offering optional enhanced security for users of its many services. The Security Key technology lets users of Google’s Chrome browser insert a key into a USB port on the device and tap it when prompted. It’s a more streamlined version of the 2-Step verification the company already offers, which sends users a code as a text message or email that users then enter. The new system requires that users purchase the USB key. The Center for Democracy and Technology’s Joseph Lorenzo Hall supports such technology, writing in a recent blog post that it’s time for “the beginning of the end of passwords.” [Google Online Security Blog] [Ars Technica] [Krebs] [CNET]

US – CES to Feature Companies Finding Solutions to ID Theft, Fraud

The Consumer Electronics Association (CEA) has announced the launch of the Personal Privacy and Cybersecurity Marketplaces at the 2015 International CES. The marketplaces will include personal cybersecurity products, solutions from smart wallets and safe payment apps as well as private Internet access. “As we all embrace the convenience and ‘always-connected’ powerful capabilities of our electronic devices, our privacy and security take on even more importance,” said a CEA spokeswoman, adding the CEA developed the marketplaces to highlight companies developing advanced solutions to stop identify theft, fraud and other cyber-crimes. [Press Release]

Intellectual Property

WW – OECD Releases Guidance on “Intangible Digital Content Products”

The OECD has released guidance urging governments and businesses to implement data protections for consumers of digital content. Consumer Policy Guidance on Intangible Digital Content Products was released on October 27, according to Bloomberg BNA, and it details customer surveys and complaints, including concerns about improper information disclosure as well as “misleading or unfair” data collection and use practices. Consumers also complained about poor redress mechanisms, the security of online payment systems and unclear terms of service. [OECD Library]

Internet / WWW

WW – Overview of Mauritius Conference of Data Protection Commissioners

The 36th International Conference of Data Protection and Privacy Commissioners (ICDPPC), held in Mauritius, “was an extremely productive and revealing event,” writes Hogan Lovells Partner Eduardo Ustaran. The ICDPPC, an annual gathering of data protection regulators “and other movers and shakers of the privacy world has become a reference point in terms of debating key public policy issues and coordinating regulatory strategies and actions,” Ustaran writes, noting the quality of the discussion and participants this year was top-notch. Given how active things are at the moment, this year’s conference did not disappoint. Ustaran highlights takeaways of particular relevance to the world’s privacy pros. [Privacy Perspectives] [The Big Takeaways From the DPAs Conference in Mauritius]

WW – ISO Cloud Standard Offers Help with Compliance Challenges

While cloud computing continues to grow, many organizations have delayed adoption due to the compliance concerns that come with sharing data with third-party providers. Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law. Because of this, “the new standard may provide … a quick reference point to evaluate the security practices of cloud service providers” and, as a result, may change the industry of cloud computing. Meanwhile, it will be difficult for healthcare companies “to fully trust cloud software vendors” unless governments “tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.” [Source] [Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law.]

Law Enforcement

CA – RCMP Failed to Keep Records on Warrantless Access, Watchdog Says

There’s no way to know if the RCMP complied with privacy laws in requesting Canadians’ personal information without a warrant, or even how often the Mounties made such requests, according to Ottawa’s privacy watchdog. Privacy Commissioner Daniel Therrien said his office was not able to track how often the national police force requested access to Canadians’ personal information without a warrant — because the RCMP don’t track that information themselves. Therrien’s office revealed they were formally reviewing the RCMP’s warrantless access practices after the Star and the Halifax Chronicle Herald reported that police forces asked nine telecommunications companies for their customers’ information 1.2 million times in 2011 alone. Since launching the review in October 2013, Therrien’s office interviewed 50 RCMP members, including senior officers, field agents making warrantless requests, and IT specialists. After reviewing RCMP databases, which receive round two million new entries per year, the watchdog’s investigators could only find a few cases where they could identify a warrantless request had been made. [Source]

US – Local Cops Say Your Driving History Is Public — Unless You Want a Copy

Monroe Police have been using high-speed cameras to capture license plates in order to log vehicle whereabouts. As of July, the County’s database contained 3.7 million records, with the capability to add thousands more each day. The justification for cops having records of the whereabouts of law-abiding citizens is that the vehicles are driven in public and therefore drivers have no expectation of privacy. It’s an argument that’s at odds with the Supreme Court’s 2012 ruling in U.S. v. Jones. In Jones, a GPS tracking case, the court held that individuals do have an expectation of privacy when it comes to their long-term whereabouts, even when using public roads. [Source]

US – Virginia Police Departments Sharing Suspects’ Phone Metadata

For nearly two years, several law enforcement agencies in Virginia have been sharing suspects’ phone metadata with each other. The information, shared between five police departments, has been compiled into a database. [Ars Technica] [Virginia Police Have Been Secretively Stockpiling Private Phone Records] See also: [UK: Police apologise after personal details of crime victims leak online]

Location

WW – Apple’s New OS X Yosemite Sends Search Data and Location back to Company Servers

While Apple has made headlines recently for its enhanced encryption in iOS 8, the company’s newest Mac operating system, OS X Yosemite, reportedly leaks user information by sending location and search data when users query Spotlight, the operating system’s search feature. [ArsTechnica] [TheRegister] [Spotlight: Privacy Advocates Furious As Apple Feature Siphons Off Location Data of Yosemite And iOS 8 Users][Users can turn off the setting in Mac OS X’s System Preferences]

Online Privacy

US – Verizon Under Fire for Inserting Unique Identifiers, Tracking Internet Activity

Verizon Wireless has been inserting Unique Identifier Headers (UIDH) into data flowing between its users and the websites they visit. The short-term string of approximately 50 characters helps advertisers identify users on the web, and according to the report, “it’s the lynchpin of the company’s Internet advertising program.” The Electronic Frontier Foundation’s Jacob Hoffman-Andrews said, “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet.” A Verizon spokeswoman said the company doesn’t use the UIDH to create customer profiles and customers who opt out of the Relevant Mobile Advertising program will not receive targeted ads. [Wired] [Ars Technica] [Verizon Wireless] See also: [Forbes: The Scoop on Permacookies] and [Unraveling and Unpacking the Technology of Web Tracking]. Meanwhile, technologists have developed a Firefox browser extension called AdNauseum that aims to turn ad blocking into a form of protest. The extension clicks on online ads that are blocked by AdBlock instead of ignoring them. One of its developers said “it is not advertising we are protesting but advertising insofar as it represents a dominant means of tracking.” Meanwhile, a program at Verizon Wireless gives customers points toward rewards like the “perfect night out” or other entertainment in exchange for their personal information. UPDATE: [Somebody’s Already Using Verizon’s ID to Track Users] see also: [Comcast customer files lawsuit claiming privacy violation]

US – Facebook Says Political Data-Mining Deal Is Privacy-Safe

Facebook is mining data on its users’ political views and plans to share those insights with ABC News and BuzzFeed for use in their reporting in 2016. The data will be collected from users 18 and older in the U.S. and will classify political sentiment as positive, negative or neutral. Facebook Director of News and Global Media Partnerships Andy Mitchell said, “Given the volume of conversation around politics on Facebook, we believe this data truly represents what the American people think about the potential candidates.” A Facebook spokesperson said the data “is gathered in an aggregated and depersonalized manner in a privacy-safe way.” [Politico] See also: [Twitter and IBM strike data mining agreement, Report] See also: [Online privacy taught to teens at Calgary conference] and also: [Social media is our modern diary. Why do tech companies own all the keys?]

WW – Facebook Experiments to Improve Tor Access

Facebook London Software Engineer for Security Infrastructure Alec Muffett writes about the social network’s efforts “to provide methods for people to use our site securely” and an experiment that “makes Facebook available directly over Tor network” via an “onion” address. “Tor challenges some assumptions of Facebook’s security mechanisms,” he writes, describing how a Tor user “who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada” might be mistaken for a botnet. “Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Muffett writes. [Source] SEE ALSO: Facebook has unveiled a new pseudonymous app called Rooms, developed by Josh Miller, which is reportedly the first product where Facebook doesn’t require users to use their real names.

WW – Apple Responds to Privacy Concerns About Spotlight

Apple’s Spotlight search function, updated last week with the latest version of Apple’s operating system and also available for older machines to download. The tool offers Google search suggestions and allows users to search their PCs or the Internet via Bing. Following privacy concerns that it was collecting user location data, Apple issued a statement clarifying Spotlight’s data collection practices, including that it doesn’t retain IP addresses and blurs locations. “We are absolutely committed to protecting our users’ privacy and have built privacy right into our products,” Apple said, adding it has worked to minimize the amount of information sent to the company. But security expert and new FTC CTO Ashkan Soltani called the feature the “worst example of ‘Privacy by Design’ I’ve seen yet.” [The Washington Post]

US – Senator Demands Explanation from Whisper Over User Tracking

Fallout from last week’s report by The Guardian about several privacy issues with anonymous social media app Whisper continued after Senate Commerce Committee Chairman Jay Rockefeller (D-WV) wrote a letter to the company’s chief executive asking for a detailed, in-person meeting, The Guardian reports. In his letter, Rockefeller told Whisper CEO Michael Heyward that as commerce chair, Rockefeller has “jurisdiction over the FTC and consumer protection issues including online privacy.” Last week, Whisper’s editor-in-chief said The Guardian’s report was “a pack of vicious lies,” but last weekend, in a statement, Heyward said, “We realize that we’re not infallible.” [The Guardian]

US – Whisper Fires Back Against Accusations

The company behind Whisper—the site enabling users to make confessions they’d be unlikely to make publicly, while promising anonymity and claiming to be the safest place on the Internet—is tracking user location. Further, it reports the company is sharing information gleaned from smartphones being operated from military bases with the U.S. Department of Defense. However, the company has written a five-page statement alleging the story is inaccurate. “Whisper does not collect nor store any personally identifiable information from users and is anonymous,” the company said. “There is nothing in our geolocation data that can be tied to an individual user and a user’s anonymity is never compromised.” [The Guardian] See also: [What happens when your friend’s smartphone can tell that you’re lying]

CA – Negative Online Reviews Led to Threats of Legal Action from Targeted Businesses

It’s just an opinion, right? But if you post it online, you could get some unwanted attention from lawyers. A growing number of companies are going after people who post negative reviews online. Ottawa student Olivia Parsons learned that the hard way. After moving out of her apartment in June, she says she posted several less-than-flattering online reviews on Google and Yelp. The reviews took aim at CLV Group — the company that manages the building. According to its website, CLV manages more than 7,500 rental apartments in Ontario and Quebec. Parsons was upset about fees she was asked to pay after moving out and the way, she says, the company handled the issue. About a week later, Parsons got a surprise in the mail — a letter from CLV Group’s lawyer demanding Parsons immediately stop posting negative reviews and that she delete the ones already up. The letter described her reviews as “false” and “misleading” and damaging to the company’s reputation. That letter came as a surprise for another reason. Parsons used an online pseudonym. Yet the company was still able to track down her real name and even her new address. She has no idea how they managed to do that. [Source]

US – Ello Gets $5.5 Million in VC

Privacy-promising social network Ello has received $5.5 million in venture capital funding, while simultaneously filing as a Public Benefit Corp. in Delaware, which makes it “impossible under U.S. law for investors to require Ello to show ads, sell data or sell the company to any buyer who would violate those conditions.” Addressing skepticism about Ello’s plans for not selling data to third parties, Ello investor Seth Levine said, “Our belief is that there are products and features that Ello can develop that users will be willing to pay for.” [TechCrunch]

Other Jurisdictions

AU – Gov’t Delays Vote on Metadata Bill

The Australian government will delay a parliamentary vote on a mandatory metadata retention bill until next year, The Guardian reports. The bill would require Australian telecommunications companies and ISPs to store data on users—specifically IP addresses and who users have emailed but not their web-browsing history—for two years, but, it will not be subject to a vote until a bipartisan committee initiates an inquiry. A communications spokesman for the Labor party said, “It involves privacy concerns from everyone that’s got a mobile phone or access to the Internet and potential cost concerns.” [The Guardian]] [Australian Communications Minister Malcolm Turnbull has introduced a bill that would repeal certain reporting requirements for telcos] [Australian Immigration Minister Scott Morrison is defending a proposal to collect biometric data, noting such retention of “sensitive personal information on travelers was becoming a ‘common standard’ for countries.”] and [The Office of the Australian Information Commissioner has released its 2013-14 Annual Report, which shows the office handled a record number of complaints] and also [The New South Wales Office of the Attorney General “has confirmed the government’s intentions” to include rules for “storing data offshore, particularly as part of cloud computing arrangements.”] and also: [Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider]

Privacy (US)

US – NSA Phone Program Faces Court Test

In a case that will be “closely watched,” the DC Circuit Court of Appeals will hear arguments challenging the constitutionality of the NSA’s bulk phone data collection program. Plaintiff Larry Klayman said “all we’re really asking is that the NSA adhere to the law.” The FBI is urging Congress to change the Communications Assistance for Law Enforcement Act to essentially force companies to give the FBI a mobile device master key to sidestep encryption. Section 213 of the USA PATRIOT Act, which allows for so-called “delayed-notification search warrants” concerns privacy advocates that such “sneak and peak” warrants are also being used in cases not involving suspected terrorists. See also: Colorado’s senate race, Sen. Mark Udall’s (D-CO) political fight for survival and what his loss could mean for surveillance reform. [Source]

US – ACLU Challenging School District Digital Policy for Violating Students’ Rights

The ACLU is challenging a Tennessee school district’s policy of searching students’ electronic devices and monitoring and controlling what the students post to social media. The policy also allows schools to monitor communications sent through or stored on school networks. The ACLU says the policy is broadly written and “demonstrates a fundamental misunderstanding” of students’ constitutional rights. [WIRED] [Policy] [ACLU Letter] See also: [“Al Quaida” SSID causes flight delay]

US – Google, Viacom Ask Judge to Dismiss Suit “With Prejudice”

Google and Viacom have asked a federal judge to throw out a proposed class-action suit that alleges the companies violated children’s privacy rights by collecting personal data from those visiting sites like Nick.com for example. The suit, “which was brought in 2012 on behalf of a group of children, stems from allegations that Viacom allows Google to set tracking cookies on Nick.com, Nickjr.com and Neopets.com,” the report states, noting an earlier version of the suit was dismissed without prejudice in July , “meaning that the children’s lawyers could amend their allegations and try again,” which they did, in August. Google and Viacom are urging the judge “to dismiss the lawsuits with prejudice, which would prevent the users from bringing the complaint again.” [Media Post] See also: [Federal Court Won’t Revive Redbox Suit] nad [A New Jersey federal judge threw out a Wyndham Worldwide Corp. shareholder’s derivative action over a series of security breaches] and [In a case deciding whether the display of ads by Google’s Remarketing service violated the Israeli Spam Act, a district court correctly dismissed the case but in turn “practically altered the law’s provisions”] and [Judge Thomas Thrash, Jr., dismisses a potential class-action lawsuit by an Android user alleging Cartoon Network violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.”]

US – SCOTUS to Take Up Hotel Privacy Rights Case

The Supreme Court agreed to take up a hotel privacy rights case involving a Los Angeles city ordinance that requires hotels to maintain detailed guest lists and make them “available to any officer of the Los Angeles Police Department for inspection.” In December, a “divided” Ninth Circuit Court of Appeals said the ordinance violated the Fourth Amendment. The plaintiffs’ lawyer said, “A lot of the hotel owners in the LA area are being subject to warrantless searches under this ordinance.” Lawyers representing the city said the ordinance helps police investigate crimes, locate fugitives and could assist in responding to a homeland terrorist attack. [The Wall Street Journal] See also: [Police: Texas women digging through hotel dumpster had guests’ credit card information]

US – DMA, Venable Release Breach Notification Guide

The Direct Marketing Association (DMA) and Venable LLP have released a new guide on state data breach notification laws, according to a press release. The Essential Guide to Data Breach Notification is being distributed now. “We hear nearly every week about the occurrence of data breaches,” said Peggy Hudson, DMA’s senior VP for government affairs. “Data security and consumer trust are inextricably linked, and it’s up to all marketers to act as stewards of consumer information. With this guide and our extensive advocacy efforts, DMA is making the task of data stewardship more manageable for responsible actors across the data-driven marketing economy.” [Source] [DMA Fact Sheet]

US – Most U.S. Farmers Worried About Data Privacy -Farm Bureau Survey

Three out of four U.S. farmers fear data they share with companies offering big data services may fall into the wrong hands or be used without their consent, including for commodity market speculation, according to a survey published this week. The American Farm Bureau Federation said in the survey of 3,380 farmers from late July to September that more than 82% of farmers are unsure how companies selling data-mining tools aimed at boosting yields and efficiency plan to use their data. (Survey findings). Despite the unease, more than half of farmers say they plan on investing in new or additional precision planting or data gathering tools in the future, according to the survey by the country’s largest farmer organization. [Source]

US – Privacy Act Turns 40, Gets Roasted

The Privacy Act turned 40 this year. To celebrate, Georgetown Law’s freshly launched Center on Law and Technology held a birthday party of sorts. Well, a birthday party where the guest is partly celebrated but mostly roasted by all of its friends and foes and then told how it can improve. But who doesn’t love a good roast? The event featured an all-star roster of panelists who discussed how the law came to be and why it was so desperately needed 40 years ago, as well as the ways its provisions now fail to protect Americans thanks to technology, the ascension of big data and some pretty sneaky workarounds created to circumvent the law’s prohibitions. [IAPP Privacy Advisor]

US – Ashkan Soltani Named FTC’s New Chief Technology Officer

The U.S. FTC named Ashkan Soltani as its new chief technology officer. Soltani, who has been an independent security researcher and investigative reporter, is taking over for Latanya Sweeney, who will be returning to Harvard University. “Technology and online and mobile platforms are continuing to evolve at a rapid pace and will remain a key focus for the FTC,” said Chairwoman Edith Ramirez, adding, “I am very grateful to Latanya Sweeney for her outstanding work … particularly for her leadership in strengthening the commission’s efforts to better protect sensitive consumer information.” Soltani will take up his new role in November. [FTC] See also: [Omer Tene breaks down the FTC’s reasonable standard and how it can help you navigate the uncertainty of “reasonable security.”]

Privacy Enhancing Technologies (PETs)

WW – Overview of Emerging Tokenization-as-a-Service Model

Payments security specialist Ian Hermon writes about the emergence of the tokenization-as-as-service model for payment card data protection. He points out that tokenization “protects merchants by devaluing the data they need to hold,” thus making it less desirable for hackers—a notion highlighted last week in the California attorney general’s report on data breaches. A report released by security company Solutionary reveals that 75% of the companies it assisted had no cyber-incident response team or policies and procedures in place. Cybereason CEO and Cofounder Lior Div argues, in a column for Forbes, that the “main reason … security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence” but rather “because security teams desperately lack context.” [SC Magazine]

US – Karp: Engineers, Technologists Can Help Mine Data and Protect Privacy

Palantir Technologies Chief Executive Alex Karp says privacy is at risk in the current data ecosystem, but engineers and technologists can help protect individuals from government snooping by placing “tags” on data that would require anyone who uses a given data point to disclose how they’re using it. Palantir has developed similar technology for the private sector and law enforcement agencies. “The behavior should be tagged in a way that a third party can always be aware of what (the engineer) is doing,” Karp said. He also noted that more technologists should go to work for the U.S. government because it is in short supply of engineers, the report states. [WSJ] See also: [Will Breaches and Privacy Concerns Lead to the Rise of the Personal Cloud?] See also: [Professor: Anonymous Apps Give False Sense of Security] and [The Hidden Privacy Threat of … Flashlight Apps?] and [MIT Tech Review: Well-funded start-up Illumio says it has created software designed to reduce intrusions and protect data centers from massive breaches] SEE ALSO” [A Look at Dynamic Data Obscurity: What Anonymization and the TSA Have in Common] AND [Experts Point to ‘Responsible’ De-identification Methods as the Means to Protect Patient Privacy and Harness the Power of Big Data for Much-Needed Research and Analytics] AND [US: Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset]

WW – Kickstarter Suspends Funding for Privacy Router

Kickstarter has suspended funding for Anonabox, a privacy-enhancing router project, for allegedly misleading investors. In an email to investors who had pledged money to the project, Kickstarter said “a review of the project uncovered evidence that it broke Kickstarter’s rules,” including “offering purchased items and claiming to have made them yourself” and “presenting someone else’s work as your own” as well as “misrepresenting or failing to disclose relevant facts about the project or its creator.” A post on Reddit revealed that what the project’s creator, August Germar, said was custom-built hardware was already for sale by Chinese suppliers. [Wired] Meanwhile, web creator Tim Berners-Lee is backing MeWe, a private communications network that combines social media, cloud storage and individual and group messaging, all with privacy at the forefront. See also: [Opinion: Better data privacy will boost innovation]

WW – Google Employs 1960s-Era Technique for Privacy-Friendly Stats Collection

Google plans to use a technique developed in the 1960s in a project aimed at gathering users’ computer data in a privacy-friendly manner. Named Randomized Aggregatable Privacy-Preserving Ordinal Response , the project will collect software statistics, including security flaws, without compromising sensitive information. It does this by using a “statistical trick … allowing software to send reports that are effectively indistinguishable from the results of random coin flips and are free of any unique identifiers,” said Ulfar Erlingsson, the project’s lead tech manager for security research. “However, by aggregating the reports, we can learn the common statistics that are shared by many users.” Google will present a paper on this at the ACM Conference on Computer and Communications Security [PCWorld]

Security

US – NIST Issues Information Sharing Guidelines for Public Comment

The US National Institute of Standards and Technology (NIST) has released a draft of its Guide to Cyber Threat Information Sharing for public comment. “The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices.” NIST will be accepting comments through November 28. [Source]

US – NIST Warns of Security Issue in Samsung’s “Find My Mobile” Service

A vulnerability in Samsung’s “Find My Mobile” service could be exploited by attackers to lock the devices. The National Institute of Standards and Technology (NIST) has issued a warning about the problem. [ComputerWorld] [NIST]

Smart Cards

US – US Defense Dept Starting to Roll Out Chip-and-PIN Cards for Travelers

The US Department of Defense (DOD) has issued approximately 600 payment cards with chip-and-PIN technology to members of the military who travel. All 1.3 military travelers will have the new cards by the end of summer 2015. DOD military travelers may also request the cards starting in January 2015. [NextGov] [US Government to Require Chip-and-Pin for Federal Payments]

US – POS Malware Persistent

Point-of-sale malware known as Backoff is still being found on systems in the US. According to numbers from Damballa, Backoff infections increased 57% in August and 27% in September. It is unlikely that infections will decrease any time soon as the holiday shopping season draws near. [The Register] [NBC News]

US – Automakers Working on Protecting Vehicle Data Privacy

The Association of Global Automakers — the trade association representing Toyota Motor Corp, Honda Motor Co., Nissan Motor Co., Hyundai Motor Co. and other foreign automakers — and the Alliance of Automobile Manufacturers — the group representing U.S. automakers, Toyota, Volkswagen AG, Daimler AG and others — both say they are working together to ensure driver data privacy. The two groups told the National Highway Traffic Safety Administration late Tuesday they are working jointly to write consumer privacy protection principles. Sen. Al Franken, D-Minnesota, has raised concerns about driver privacy because of consumer data from GPS and in-vehicle systems. Global Automakers told NHTSA it supports making vehicle to vehicle communications required. [Source] See also: [Napel: Where’s the Security for Wearables?]

Surveillance

US – Intelligence Director’s Interim Report Calls for Privacy Improvements

The Office of the Director of National Intelligence (ODNI) has issued an interim report on the implementation of Presidential Policy Directive/PPD-28, Signals Intelligence Activities. The directive was issued in January of this year and establishes new principles and strengthens oversight on signals intelligence activities. The interim progress report recommends ensuring “privacy and civil liberties are integral considerations in signals intelligence activities,” say Alexander Joel, CIPP/US, CIPP/G, and Robert Litt, in their announcement. Among the key points denoted by the Civil Liberties Protection Officer and the General Counsel for ODNI are a call for improving how privacy and civil liberties complaints are handled and reviewing training “to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality” with completion of the training “a prerequisite for accessing personal information in unevaluated signals intelligence.” [Source] See also: [FBI Director: Post-Snowden Pendulum Has Swung Too Far] and [How the FBI caught a teenager making bomb threats: It planted a fake news article about him and hoped he clicked it]

US – Florida Supreme Court Says Warrant Required for Cell Phone Tracking

Florida’s Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data. The court ruled that obtaining cell tower location data from service providers in real-time constitutes a Fourth Amendment search and therefore requires a warrant. The case involves cell data from a provider but could likely be applied to devices like StingRays, which simulate cell tower signals. [WIRED] [ArsTechnica] [SCMagazine] [Ruling] and also: [US: Can privacy be applied when using mobile phones for Ebola contact tracing?]

US –Washington, DC Police and Stingray

Documents obtained through a Freedom of Information Act (FOIA) request show that police in Washington, DC have had a StingRay cellular surveillance device since 2003, but it remained unused until 2009, when officers were trained in its use. StingRay is a trademarked name, but has come to serve as a generic term for the technology. The devices, also known as IMSI catchers, can determine the location of cell phones as well as intercept calls and text messages. They also vacuum up data from other phones in the area. [Ars Technica]

UK – Schneier, Diffie, Ex-MI5 Bod, Privacy Advocates Team Up On Code Red

Security experts including Bruce Schneier and Whitfield Diffie are teaming up with privacy advocates to form a new privacy group that aims to champion privacy against the growing tide of intrusive government surveillance. The project, Code Red, is due to begin in January with the aim of becoming a “strategic think tank and campaign clearinghouse to provide new resources and tactical advice to human rights groups across the world”. The project reflect concerns that that government surveillance and intrusion has escalated – despite the national security disclosures by whistleblower Edward Snowden. Code Red aims to support whistleblowers as well as human rights groups. Code Red has put together an impressive cast of members on its steering group including Diffie, one of the pioneers of public key cryptography, and influential security expert Schneier as well as Tor developer and Snowden disclosures affiliate Jacob Appelbaum. Code Red’s steering group includes several influential figures in civil society, among them MI5 whistleblower Annie Machon, former US Congress member and presidential candidate Cynthia McKinney, former Wikimedia General Counsel Mike Godwin, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. [Source]

SK – Government Tries to Ease Public’s Online Privacy Fears

South Korean Prime Minister Chung Hong-won is trying to ease fears among the public about online privacy after prosecutors last month launched a cyber-investigation team to help uncover online rumors that President Park Geun-hye said “crossed the line.” As a result, citizens have been fleeing a domestic chat app to a foreign rival due to fears the government is spying on their conversations. Hong-won said the government is only monitoring for high-profile crimes such as murder, human trafficking or insurrection. The prime minister’s office said he has “emphasized that the government has been steadfast in ensuring freedom of expression and other basic privacy rights and will continue to do so.” [Reuters]

UK – Lords Consider Drone Laws Over Privacy Fears

A House of Lords committee will hear from drone safety experts about whether legislation needs updating. The committee is investigating the civil use of unmanned aerial vehicles (UAVs) and is expected to report its findings in 2015. The popularity of drones has surged as the technology has improved, leading to a consumer boom in cheaper, simpler models. Among the questions the committee will seek answers to are the implications of drones for air traffic control, and whether drones will be affected by current data protection legislation. [Source] See also: [The Skies Are Watching You] and also: [Nevada: Where Drone and Data Scientist Jobs Are Headed]

Telecom / TV

US – Advocates Concerned About Phone “Kill Switch” Legislation

Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch” in the devices allowing for remote shutdown capabilities in an attempt to stymy cell-phone theft and protect the personal data of consumers. But the legislative trend is raising red flags for privacy advocates who say such kill switches would provide law enforcement with too much power, potentially preventing citizens from communicating and documenting public demonstrations. The Center for Democracy & Technology’s Jake Laperruque said, “The idea of this being co-opted as an anti-protest tool is especially disturbing.” To date, California and Minnesota have passed kill-switch legislation, while Nevada and New Jersey are considering it. [USA Today]

WW – Why Consumers Should Be Scared of Smart TVs

Michael Price writes about why he’s scared of his new “smart television” after reading through its 46-page privacy policy. “The amount of data this thing collects is staggering,” he writes, adding users can always go with a “dumb” option, “but it comes at a cost. The device will not function properly or allow the use of its high-tech features,” leaving users “with an unacceptable choice between keeping up with technology and retaining their personal privacy.” Last year, the Center for Democracy & Technology’s Justin Brookman discussed how the lack of Privacy by Design in smart TVs will erode consumer trust. Meanwhile, five predictions for “addressable television,” includes how “privacy will be a key conversation.” [Salon] See also: [Whirlpool’s “Internet of Things” problem: No one really wants a “smart” washing machine]

US Government Programs

US – DHS Privacy Office’s Annual Report Outlines Next Priorities

The Department of Homeland Security’s Privacy Office has released its 2014 Annual Report to Congress, which includes highlights of such accomplishments as its Fair Information Practice Principles becoming “the privacy policy touchstone” for all federal agencies, its impact assessment official guidance becoming a model for agencies and foreign countries and its publishing of a directive on the department’s use of social media as a standard for other agencies’ use. The office will prioritize assessing new systems and programs to develop robust privacy protections; expand its service as a consultation organization and increase its engagement with the privacy community, among others. [Source] See also: [The “second source” for Snowden reporters, explained]

US – ICE Twice Breached Privacy Policy With License-Plate Database

Since February, shortly after the U.S. Department of Homeland Security (DHS) canceled plans for widespread access to a national license-plate tracking database, officials within the DHS’s Immigration and Customs Enforcement agency (ICE) have allegedly bypassed the privacy office on at least two occasions to purchase a one-year subscription to a license-plate tracking database. An ICE spokeswoman said use of the database is limited and a privacy impact assessment is in preparation. Rep. Bennie Thompson (D-MS) said, “there may be law enforcement need for certain personal information, [but] DHS must make sure that contracts of this nature are thoroughly reviewed by its privacy office and Office for Civil Rights and Civil Liberties to ensure compliance with all relevant laws and regulations.” [The Washington Post]

US – NSF to Fund Database Research Project

A US initiative will create a database for the collection, storage and analysis of learning and behavioral data generated by students via digital learning technologies. Called LearnSphere, the project will be led by researchers at Carnegie Mellon University, which is receiving $4.8 million in funding from the National Science Foundation. The eventual infrastructure, distributed across several institutions, third parties and for-profit vendors, will include a trove of anonymous data, including digital-interaction options, chat-window messages between students and possibly some biometric information generated during classroom interactions, the report states. A representative from the Electronic Privacy Information Center said LearnSphere “warrants further evaluation” before moving ahead. [Education Week]

US – FCC Brings Largest Enforcement Ever (Again): $10 Million

The FCC is planning to fine TerraCom and its affiliate YourTel America $10 million for several violations of laws protecting the privacy of phone customers’ personal information. It is the largest enforcement action in the commission’s history (beating out the $7.5 million fine for Sprint in May), according to an FCC press release. The companies “apparently stored Social Security numbers, names, addresses, driver’s licenses and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” In the companies’ privacy policies, they promised customers “technology and security features to safeguard the privacy” of that information, the FCC said. [Source] [The Federal Communications Commission intends to fine TerraCom and its affiliate YourTel America $10 million] See also: [Call Center Scams on Rise]

US – U.S. FCC Joins Global Enforcement Network

The U.S. Federal Communications Commission (FCC) has announced it has joined the Global Privacy Enforcement Network (GPEN). GPEN seeks to promote the cooperation and collaboration of global privacy enforcement authorities and includes about 50 data protection authorities. “We live in a world where threat to consumer privacy and data security often require the cooperation of numerous law enforcement agencies around the world,” said FCC Enforcement Bureau Chief Travis LeBlanc, adding, “If we are to detect, disrupt and dismantle these persistent global privacy assaults, it is critical that we work closely with our international partners abroad as well as our federal, state and local partners here at home.” [Source] [Does the FCC Have FTC Envy] See also: [The Blind Men, the Elephant and the FTC’s Data Security Standards] [The Federal Communications Commission announced it has joined the Global Privacy Enforcement Network.]

US – Report Examines USPS Audit, Lack of Controls in Law Enforcement Requests

According to a U.S. Postal Service Office of Inspector General audit that came out earlier this year, the USPS granted 49,000 law enforcement requests to track mail in 2013. Additionally, the inspector general said the program has “insufficient controls,” including the lack of proper approvals and justifications and failing to require annual reviews, the report states. The program’s shortcomings could “hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail and harm the Postal Service’s brand.” In another report revealed earlier this month, the Inspector General concluded nearly 14 million customer records had been put at risk when changing addresses. [Bloomberg]

US Legislation

US – 9/11 Commission Urges Cybersecurity Legislation

Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end. Noting recent large-scale hacks against Target and Home Depot and reports of security vulnerabilities, members warn that the U.S. could face a major cyber-attack if nothing is done. “The al Qaeda threat did not manifest itself without warning on September 11, 2001,” Commission Chairman Thomas Kean and Vice Chairman Lee Hamilton wrote in a letter . “But we did not heed those warnings until it was too late. Unfortunately, that pattern seems to be repeating itself in the cyber realm.” [The Hill] [Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.”] and [Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end] [The Washington Post reports on the potential effects a Republican-run Senate would have on tech policy.]

US – Feinstein Floats Privacy Changes to Cyber Bill

Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed. “You know, it’s always more, more, more,” Feinstein said. She declined to share specific details about the changes, the report states. Feinstein’s measure was passed 12-3 by the Senate Intelligence Committee, the report states, noting Feinstein commented, “I think if we could get this up on the floor, I believe we can pass it … We’re willing to take amendments and do them on the floor, so that shouldn’t stop it.” [The Hill] [Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed.]

US – California AG Calls for Action from Retailers, Healthcare

California Attorney General (AG) Kamala Harris unveiled the California Data Breach Report, the state’s first since 2012. In it, the AG focuses on the retail and healthcare sectors and sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption. She also calls for additional security funding for smaller retailers, a growing target of cyber-attacks. [Source] [The Privacy Advisor outlines California Attorney General’s California Data Breach Report, which sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption.]

US Legislative News Roundup: [While President Barack Obama has called on Congress to enact data breach notification legislation, that won’t happen this year.] | [Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch,” but the trend is raising red flags for privacy advocates who say they would provide law enforcement with too much power] | [Sen. Orrin Hatch (R-UT) outlined his agenda for technology legislation in the next Congress and highlighted the need to reform to email privacy] | [Alabama Sen. Arthur Orr (R-Decatur) has indicated he is working on legislation that would require companies doing business in the state to notify customers of data breaches] | [New Jersey legislators have proposed AB 3322, requiring health insurers to encrypt personal health data on all of their computers] | [The New Jersey Assembly Consumer Affairs Committee has approved AB 3146, aiming to protect consumers from identity theft] | [Pennsylvania Gov. Tom Corbett is expected to sign a bill that creates a prescription drug monitoring program despite privacy concerns] [The Pennsylvania Senate has passed a prescription drug monitoring bill despite privacy concerns voiced by the American Civil Liberties Union. The bill now head to the governor’s desk] | [The Conference of the German Federal and State Data Protection Authorities has adopted a resolution expressing concern about privacy risks involved in the collection and processing of personal data in cars]

Workplace Privacy

WW – Exploring the Balance of Data Security and Employee Privacy

“With the right technology, enterprises can control the risk associated with maintaining confidential and private information. However, as many of these security measures require a detailed supervision of business operations, enterprises must be careful to avoid intruding on worker privacy,” states a new whitepaper from the Medical Device Privacy Consortium. Securing the Enterprise in a Privacy-Responsible Manner looks at the intersection of surveillance of systems and employee privacy rights in different regulatory environments and offers some recommended privacy principles to follow. [Source] See also: [The French Supreme Court has ruled employers must notify the CNIL of devices to monitor employees’ email volume and flows] and also: [US: 5 best practices for lawfully monitoring your employees’ social media activities]

+++

01-15 October 2014

Biometrics

US – Airlines Look to Biometrics to Streamline the Check-In Process

Biometrics, the technology that uses human physical traits as a form of identification, is gaining popularity with governments and merchants. Now airlines are considering the technology. The next breakthrough in paperless airline ticketing may be under your thumb — literally. Alaska Airlines is exploring using passengers’ fingerprints to replace travel documents, driver’s licenses and credit cards now needed to navigate from airport curbs to jetliner seats. If successful, it would be the first U.S. carrier to employ biometrics for boarding passes and inflight purchases and could spur wider adoption across the industry. [Source]

WW – Build in Biometric Security for Market Advantage” Levin

Adam Levin writes about how “legions of sophisticated hackers are infiltrating the most state-of-the-art data security strategies out there” and how biometrics “may well be the next ‘less hackable’ thing.” He notes there will likely be a small window of time before biometrics become “‘the new normal,’” so “there is a marketing advantage, which is why it’s crucial for companies that handle sensitive information to get in front of the trend.” He notes Apple has begun this process and other companies are experimenting with “bio-specific authentication.” He writes that if there is a takeaway, “it’s to be found in the Apple model, which doesn’t lead with a security solution so much as it incorporates it.” [Forbes] See also: [Companies Battle It Out on Privacy]

EU – Comedy Club Charges Per Laugh With Facial Recognition

A comedy club in Barcelona is experimenting with charging users per laugh, using facial-recognition technology to track how much they enjoyed the show. The software is installed on tablets attached to the back of each seat at the Teatreneu club. Each laugh is charged at 0.30 euros (23p) with a cap of 24 euros (£18). Takings are up so far. The project was developed to combat falling audience numbers.The system is now being copied in other theatres around Spain. The comedy club has also launched a mobile app as a method of payment, as well as its first pay-per-laugh season ticket. James Woroniecki, director of London’s 99 Club, said: “Sounds fun, just so long as all the facial recognition data doesn’t get forwarded to the NSA [US National Security Agency]. [BBC News]

WW – Millions of Voiceprints Quietly Being Harvested as Latest ID Tool

The collection of voiceprints by governments and businesses is increasing “to pay pensions, collect taxes, track criminals and replace passwords.” A representative from a voice biometric vendor said, “There’s a misconception that the technology we have today is only in the domain of intelligence services, or the domain of Star Trek … The technology is here today, well-proven and commonly available.” A Barclays executive suggested “voice biometrics will be the de facto standard in the next two to three years.” A separate report notes the rise of the technology is spurring privacy concerns. One advocate said if public use of voice biometrics services were to be compromised, “We could lose a major avenue of anonymous speech.” [The Guardian] [Voiceprint harvesting – the next frontier in data privacy war]

Big Data

US – FPF Whitepaper Intros Toolbox for Weighing Big Data Rewards, Risks

Over the past few years, organizations have developed various frameworks to measure privacy risks of new projects, products or services. Yet these frameworks, typically called privacy impact assessments or risk management tools, account for only one part of a cost-benefit analysis. In a new Future of Privacy Forum (FPF) whitepaper, Jules Polonetsky, IAPP VP of Research and Education Omer Tene and the FPF’s Joseph Jerome introduce a new toolbox for weighing big data rewards against privacy risks. The paper includes case studies and graphics and provides a taxonomy of privacy risks and an analytical framework for “data benefit analysis.” [Source] See also{ Washington Post: Weighing the Benefits of Mining Health Data] See also: [Big Data is watching you. Has online spying gone too far?] AND Intel Global Privacy Officer David Hoffman explained

US – Information Accountability Foundation Releases Big Data Ethics Whitepaper

The Information Accountability Foundation released its first paper on its Big Data Ethics Project. The project aims to create tools for businesses and law enforcement authorities to ensure big data benefits while preventing negative outcomes such as discrimination or misuse of data. Governance, according to the paper, is key. “To establish big data governance, the foundation believes in the need for a common ethical frame based on key values and the need for an interrogation framework,” the paper states. “In formulating a frame, we concluded the following: Governance requires enforcement; big data enforcement needs to be explored by stakeholders, and interrogation frameworks should be customized [Source] SEE ALSO: Intel’s endeavor to encourage organizations to take “a data innovation pledge “ that promotes “the simultaneous ethical and innovative use of data.” Meanwhile, speaking at an EU event, Tim Berners-Lee suggested “the promise of big data has been undermined by companies using their customers’ data to deliver targeted advertising,”

UK – ICO Publishes Report on Big Data

On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’). The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data. The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity. When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.[Source]

WW – Can Mobile Tracking Help Stem Ebola Outbreaks?

Big data analytics may help emergency response teams, medical charities and nongovernmental organizations contain the Ebola virus, but to do so, tracking of mobile phones is needed. According to the report, citizens in some of the poorest countries in Africa own mobile phones, which is proving to be a “rich source of data in a region where other reliable sources are sorely lacking.” In one example, Orange Telecom in Senegal shared anonymized voice and text data from 150,000 mobile phones with Swedish nonprofit Flowminder to help draw up maps of population movements in the region. And the U.S. Centers for Disease Control is currently collecting mobile phone activity data from operators to map where helpline calls are sourced. [BBC News]

Canada

CA – Cyberbullying Bill Inches Closer to Law Despite Privacy Concerns

A controversial bill to fight cyberbullying and give more powers to law enforcement is set to pass third reading in the House of Commons. Bill C-13 would make it illegal for anyone to post or transmit an “intimate image” of another individual without that person’s consent. But other measures included in the bill would give police easier access to the metadata that ISPs and phone companies keep on every call and email by their customers. It would also make it easier for police to get preservation or production orders by lowering the threshold from a “reasonable grounds to believe” a crime has happened or could happen to “reasonable grounds to suspect.” The bill would also give immunity to any companies that turn over to police the information they hold. The bill is expected to pass, with the majority Conservatives supporting it despite a number of objections raised by Canada’s privacy commissioner, Daniel Therrien, and by Amanda Todd’s mother. Both Therrien and Todd said the bill should have been split so the widely embraced cyberbullying measures were considered separately from the far more controversial online data-collection measures. NDP digital issues critic Charmaine Borg said she expects the bill, should it become law, to be challenged in court following the Supreme Court’s decision last June in the case R vs. Spencer. The Spencer decision barred ISPs from voluntarily disclosing the names, addresses and phone numbers of their customers to law enforcement officials in response to an informal request — something ISPs have been doing hundreds of thousands of times a year. The landmark decision came the day the House justice committee reported back to the House on C-13. [Source] See also: [Cyberbullying bill C-13 moves on despite Supreme Court decision] See aslo: [Harper government missed deadline on jihadi tracking tool]

CA – Alberta’s PIPA Scheduled to Lapse on November 15, 2014

On November 15, 2013, the Supreme Court of Canada found Alberta’s Personal Information Protection Act (PIPA) to be invalid and gave Alberta’s Legislature 12 months to make it constitutional. To date, no amendments to PIPA have been tabled by the Alberta government and the next session of the Alberta Legislature has been delayed until November 17, 2014. On September 22, 2014, Alberta’s Information and Privacy Commissioner wrote an open letter to Alberta’s Premier, the Minister of Justice and Solicitor General and the Minister of Service Alberta expressing concern over PIPA’s inevitable lapse as result of the delayed start to the session of the Alberta Legislature: If PIPA is allowed to lapse, Alberta’s citizens and businesses will lose the unique benefits afforded by the legislation, including: mandatory breach reporting and notification to affected individuals, local enforcement without court involvement, and protection for the access and privacy rights of employee of provincially-regulated private sector businesses. As the oversight body for PIPA, the Commissioner’s office is receiving inquiries from the public and stakeholders as to the status of the legislation. In addition, there are 280 PIPA cases currently open – including breach reports from organizations, complaint investigations, and quasi-judicial inquiries – which will potentially be affected in the event the legislation lapses. In response, Alberta’s new Premier, Jim Prentice, declared he would be seeking an extension from the Supreme Court with respect to the amendment deadline. A motion extending the suspension of the declaration of invalidity was filed in the Supreme Court by the Attorney General of Alberta on October 1, 2014. [Source] “In a precedent-setting decision, Alberta’s Court of Queen’s Bench has ruled the province’s Health Information Act protects any information broadly connected to a patient’s care, even if that information is about another person.”

CA – Decision Reserved in Lawsuit Over Sask. Student’s Cellphone Privacy

A judge has reserved decision in a lawsuit over whether a Grade 6 student’s privacy was violated when school staff read the texts on his cellphone. Court heard a teacher at Riverside Community School in Prince Albert took the 12-year-old’s phone when she caught him texting during class in March 2010. The teacher gave the phone to the then-vice-principal, who went through the boy’s texts and found one about a car theft. Dwayne Tournier testified the text was from someone who said — quote — “we stole a car.” The lawsuit alleges that after the school contacted police, an officer got the boy to text the sender back about the car’s location and then took him in a cruiser to identify the vehicle. The boy’s grandparents, who were his guardians, argue the actions of the school put the boy in a position where he feared retaliation by the text’s sender because the boy was seen in the cruiser. The lawsuit claims damages from the Saskatchewan Rivers School Division and Tournier. “The mistake, if a mistake was made, is in reading the contents of the cellphone, then calling the local city police to take this young lad to a stolen vehicle to identify a vehicle,” said lawyer Marcel Simonot, on behalf of the grandparents. [Source]

CA – OPC’s Bernier Joins Private Practice

Former Interim Privacy Commissioner of Canada Chantal Bernier has joined Dentons’ privacy and security practice as counsel. “We are honored to have Chantal Bernier, a renowned thought-leader in privacy protection, join Dentons,” said Dentons CEO Chris Pinnington. “In the digital age, when privacy risks and concerns are on the rise, Ms. Bernier’s perspective and insight as a seasoned regulator and senior executive will be a tremendous asset to our clients, in Canada and around the world.” [MarketWired]

Consumer

EU – Survey Shows What Europeans Think Their Personal Data Is Worth

A survey commissioned by European telco Orange examines how Europeans perceive the value of their personal data. “There is a perceived imbalance within the data-sharing relationship,” the survey states, “with two-thirds of consumers believing that organizations benefit the most from the sharing of data—just 6% think that the consumer benefits the most.” The UK, France, Spain and Poland were surveyed, and respondents, on average, said that each piece of personal data shared with a familiar business is worth approximately $21. For unfamiliar companies, the value increased to $25. The report includes breakdowns of what respondents thought specific data points were worth, including full name, date of birth, location, income and marital status. [Quartz]

US – The Future of Retail Tracking and Allegations About Uber’s Location Privacy

Macy’s is leading the rise of iBeacon technology in retail stores. The retail chain will add 4,000 iBeacon devices to its almost 800 stores nationwide in the next few weeks. Macy.com President Kent Anderson said, “The customer who gets more engaged in more of the channels that Macy’s has to offer gives us more wallet share.” iBeacons also being placed at various Marriott locations. [The Washington Post]

US – Experiment Demonstrates Perils of Not Reading Privacy Policies

In an experiment to demonstrate the dangers of connecting to unfamiliar networks, security firm F-Secure set up an open WiFi network in a busy, public area in London, UK, complete with lengthy terms and conditions that included a “Herod clause.” Yup. Six people clicked through to exchange “permanent ownership” of their firstborn children for WiFi access. Enter Terms of Service; Didn’t Read, a user rights initiative that is rating websites according to their terms and privacy policies. [Source]

US – How Many Chocolate Chip Cookies is Your Personal Data Worth?

New York-based artist Risa Puno’s recent experiment in which she asked New Yorkers at an arts festival to give up sensitive personal information from fingerprints to partial Social Security numbers (SSNs) for a cookie—not a web cookie, an actual cookie. In total, 380 did so, with 117 allowing Puno to take their fingerprints and just under half giving her the last four digits of their SSNs. Based on the experiment, Slate offers advice on how to measure the value of your personal data in cookies. Meanwhile, ComputerworldUK reports on how firms can survive in the age of data currency. [ProPublica]

E-Government

CA – PEI Privacy Commissioner Urges Review of Government Document Storage

Personal records stored in derelict buildings should serve as a wake-up call to government, says the information and privacy commissioner. The province is in the process of relocating health and financial records housed in two boarded-up Health P.E.I. buildings in Charlottetown. City police have reported that the buildings have been broken into at least five times in the last month. Maria MacDonald doesn’t believe this is an isolated case of poorly stored documents. Close to 1,200 boxes of documents, including medical and financial records, are being removed from the buildings, says Pam Trainor, executive director of acute care, mental health and addictions for Health P.E.I. The removal of the records began Thursday and most were expected to have been taken out of the old buildings by the end of Monday. [Source] [Ireland: Investigators accessed social welfare information and disclosed to credit unions]

CA – IBM Wins a Federal Data Centre Contract

IBM Canada has won a multi-year contract to provide and manage one of the new data centres the federal government needs as it consolidates IT infrastructure under its Shared Services program. IBM’s Barrie, Ont., data centre building, which was opened in 2012, will house some of the federal IT infrastructure as the government squeezes 485 data centres into seven by 2020. This contract dealt only with the physical space. IBM will not be providing servers, storage or networking. [IT World Canada]

US – Public Officials Give Up Some Privacy on Personal Cellphones – Editorial

Citizens expect, demand and deserve public officials who put the public first. One way we put the public first is by promoting open government and protecting the people’s right to know. An official cannot choose to use personal technology like a cellphone or home computer to conduct public business and then deny access to the resulting public records on grounds of personal privacy. This point was driven home recently for Pierce County Prosecuting Attorney Mark Lindquist, who had been using his personal cellphone for official business. The question of whether public officials can keep public information private is now winding its way through the courts. Public records do not become private property when created and stored on personal devices. The information in public records belongs to the people, even if accessing it on a private device is inconvenient or embarrassing for the official who created and stored it there.[Source] See also: [New York postman accused of hoarding 2,500 pounds of mail]

E-Mail

CA – CASL: Rules for the Installation and Use of Computer Programs

Effective January 15, 2015, Canada’s anti-spam law (commonly known as “CASL”) will impose onerous restrictions and requirements for the commercial installation and use of computer programs on another person’s computer system. The rules apply to almost any computer program (not just malware/spyware/harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). The rules have potentially serious implications for Canadian businesses that distribute computer programs and for foreign businesses that distribute computer programs to computer systems located in Canada. Unfortunately, the rules are challenging to interpret and apply, and regulators have provided limited guidance. [More] See also: [CRTC works with small business to stop malicious spam from being sent to Canadians]

Electronic Records

US – Advocates Claim Compliance Site Violates COPPA

The Center for Digital Democracy and Campaign for a Commercial-Free Childhood have alleged in comments filed with the FTC that AgeCheq—a company that aims to help app developers comply with children’s privacy rules—itself violates those regulations. The comments claim AgeCheq collects data about children without first obtaining their parents’ permission, in violation of the Children’s Online Privacy Protection Act (COPPA). AgeCheq CEO Roy Smith said the allegations are “specious,” adding, “We’re mystified by this whole thing.” Smith said he doesn’t believe COPPA bans the company from collecting data about children because his site doesn’t fit into COPPA’s definition of a website operator. [MediaPost]

EU Developments

EU – Google Ordered to Change Handling of User Data in Germany

Hamburg Data Protection Commissioner Johannes Caspar issued a statement ordering Google to limit how it combines user data that could be used to determine such customer information as marital status or sexual orientation. Caspar emailed Google about its 2012 privacy policy terms, which allow it to combine data it gathers when customers use its services. “With that, one can compile detailed movement patterns, detect the social and financial status, and friendship, sexual orientation and the relationship status,” Caspar said, ordering Google “to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling.” Google is reportedly reviewing the order. [Bloomberg]

EU – Ansip: EU May Suspend Data-Sharing Agreements if U.S. Doesn’t Shape Up

Europe may suspend data-sharing agreements with the U.S. if American policy makers don’t improve how Europeans’ online information is protected. That’s according to Andrus Ansip, the nominee to lead Europe’s digital agenda, who added the U.S. still needs to convince European lawmakers it takes a hard line on data protection. “Americans have to deliver and provide real trust to European citizens,” Ansip said during a hearing at European Parliament in Brussels, adding a suspension of Safe Harbor is still on the table. [The New York Times]

EU – Belgium Appoints First Privacy Minister

After several months of negotiations, finally a new governmental coalition has been formed in Belgium. It may come as a surprise, but the new government has paid particular attention to privacy-related issues in its coalition agreement, including the appointment of a Secretary of State for privacy. DLA Piper’s Patrick Van Eecke and Elisabeth Verbrugge look at the new government’s stated intentions for privacy, including a slate of planned reforms, and look into the future to assess the impact of these decisions. [Full Story] [Belgium’s New Government Sets Privacy High on the Agenda, Appointing Minister of Privacy] and also: [IRE: Government expected to increase data protection budget]

Facts & Stats

WW – How Much is Data Really Worth?

While companies are building entire businesses around the collection and sale of data, no one really knows what all that information is worth. “It’s flummoxing that companies have better accounting for their office furniture than their information assets,” said a Gartner analyst. “You can’t manage what you don’t measure.” As more companies traffic in information and use big data analytics tools to find ways to generate revenue, the lack of standards for valuing data leaves a widening gap in our understanding of the modern business world, the report states. Such intangible assets like patents, trademarks and copyrights could be worth more than $8 trillion, one economist estimates. [The Wall Street Journal]

Filtering

US – FCC Fines Marriott for Blocking Guests’ Wi-Fi Hotspots

Marriott has agreed to pay the US Federal Communications Commission (FCC) US $600,000 to settle charges that the company blocked guests’ personal hotspots, forcing them to use the hotel’s WiFi at significant cost. The Gaylord Opryland Hotel in Nashville, Tennessee, admitted to the blocking, saying that it normally established wireless services and networks for groups at the convention facility, charging US $250 to US $1,000 per access point. The service provided by the hotel includes a monitoring system that blocks networks that are not its own. [Ars Technica] [The Register]

Finance

US – TCPA Prompts Bank Fears; Kohl’s Seeks Class-Action Dismissal

In a filing with the Federal Communications Commission (FCC), the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act (TCPA), a 23-year-old law that requires consumers’ consent to being called on their mobile phones. “A single financial institution might be responsible for 50,000 to 60,000 or more potential data security breach notifications per month,” the ABA wrote to the FCC. “A substantial portion of these automated notifications must be sent to mobile telephone numbers.” Meanwhile, Kohl’s has asked a federal judge to throw out a putative TCPA class-action alleging the retailer gathered consumers’ cell-phone numbers for debt-collection purposes. [Quartz]

FOI

AU – FOI May Cost $800 as Coalition Seeks to Abolish Regulator

The federal government has introduced a bill to abolish Australia’s freedom of information watchdog. In a move that will wind back significant reforms in Australia’s federal freedom of information framework introduced in 2010, the government has pushed ahead with its plans to abolish the Office of the Australian Information Commissioner (OAIC). The bill would remove an office conceived as the “champion” of freedom of information and privacy, and would largely revert to the pre-2010 framework where complaints about freedom of information matters were heard by the commonwealth ombudsman and appeals went to the Administrative Appeals Tribunal (AAT). Labor and the Greens have previously raised major concerns about this move, saying it would “shut the door on open government”. Crucially, the bill provides no relief or waivers for the $800 filing fee to make applications to the AAT, which is likely to create a substantial barrier to seeking review of government decisions.[Source] The Freedom of Information Amendment (New Arrangements) Bill 2014 was introduced into Australia’s Parliament on Thursday, and the Office of the Australian Information Commissioner (OAIC) has detailed what to expect if the bill becomes law. The Australian government’s plan to require data retention continues to make headlines as do allegations that Australian privacy laws are putting military personnel at risk.

Genetics

US – 23andme Genetic Testing Service Coming to Canada

A California company offering a genetic testing service that claims to pinpoint both health conditions and genetic background has begun operating in Canada, despite being blocked by the U.S. health regulator from offering its full service. The company 23andme tests for about 100 health markers based on a sample of your saliva. Customers apply for the testing kit online, submit a sample and get a response in two to six weeks via email. The U.S. Food and Drug Administration blocked 23andme from sending health information to customers of its genetic testing kits in the U.S. “The FDA believes that we are a medical device, so we are going through the medical device review process. In Canada we are working with health authorities and they have deemed that we are non-therapeutic and therefore we don’t need pre-market clearance,” said CEO Anne Wojcicki. However, Canada’s privacy commissioner has raised concerns about the privacy of genetic tests. At this time, there are no laws in Canada that specifically address the use of genetic test results by insurance companies. The Canadian Life and Health Insurance Association has agreed its members will never require a genetic test from a customer, but say that if there is such a test, “the insurer would request access to the information, just as it would for other aspects of the applicant’s health history.” [Source]

Health / Medical

US – FDA Issues Medical Device Cyber Security Guidance

The US Food and Drug Administration (FDA) has released guidance for medical device cyber security. The publication offers recommendations to manufacturers and urges them to “consider cybersecurity risks as part of the design and development of a medical device.” The agency also encourages manufacturers provide the FDA with documentation about risks in devices and plans to mitigate those risks, as well as plans for providing updates and patches. The FDA is holding a workshop on the issue later this month. [FDA] [SCMagazine] [USA Today] [MobiHealthNews: A Roundup of FDA-Approved Electronic Medical Devices]

US – OCR Prepping to Launch Phase II Audits

The Department of Health and Human Services Office for Civil Rights (OCR) is preparing to launch OCR Phase II Audits, a permanent audit program for covered entities, although the OCR is still dealing with funding constraints and finalizing the program, the OCR’s Iliana Peters said at a conference last month. When the program will begin depends on some technology upgrades, Peters said, noting once Phase II starts, the OCR will use it as an enforcement tool and, depending on what issues are discovered, corrective actions may result. She added settlements and monetary penalties are “never off the table” if major compliance issues are found during investigations. [PR Web]

WW – Facebook Moving Into Healthcare

Amidst reports that Facebook will feature new guidelines and an ethics review panel for research projects, the social networking giant is also reportedly moving into the healthcare landscape. Facebook is allegedly exploring the development of online “support communities” to connect users with similar ailments and a small team is considering “preventative care” applications. The company has been convening meetings with various medical industry experts and entrepreneurs to set up a research and development team to test new health apps, the report states. [Reuters]

Horror Stories

US – JP Morgan Chase: Breach Affected 76 Million Households

In a filing with the US Securities and Exchange Commission (SEC), JPMorgan Chase disclosed that a security breach earlier this year affected 76 million households and seven million businesses, and that the data compromised include phone number and email addresses, but not account information. The company has denied emerging reports of a second breach. Stanford’s Jonathan Mayer said, “There’s no doubt that companies with valuable information have a target on them.” Meanwhile, new evidence on where “massive data breaches lead“—including to “clone cards” sold to low-level criminals—and details some of the costs of data breaches. [NBC News] [NBC News] [Fast Edgar] [NYTimes] [CS Monitor] [The Register] [ComputerWorld] [ZDNet] [SCMagazine] [NPR News] Lawmakers in the U.S. are using the JP Morgan data breach to push privacy-diminishing cyber-legislation.

CA – Personal Info Accessed In B.C. Government Database Breach

The B.C. government is trying to notify 15,000 people whose personal information has been illegally accessed because of a data breach on a Ministry of Forests’ website and associated databases. The ministry says names, contact information, birth dates, drivers’ licence numbers and job evaluation information of firefighters who applied to work on wildfire crews may have been compromised. A ministry news release says data about applicants’ aboriginal, minority or disabled status may have also been viewed when the information was accessed by an unauthorized user on Sept. 24. The ministry says public website access was shut down as soon as the breach was discovered and the Information and Privacy Commissioner was notified. The government says it is offering free credit protection services to people who have been affected. However, it says some of the database records are up to 10 years old and contacting everyone involved in a timely manner may be difficult. [The Globe and Mail]

US – Inspector General Says Nearly 14 million Postal Service Records at Risk

The U.S. Postal Service Inspector General has concluded the Postal Service has put nearly 14 million customer records at risk. The inspector general’s audit found that hundreds of businesses have access to millions of change-of-address forms with little oversight from the Postal Service. “There is a risk that the (data) could be accessed by unauthorized users,” auditors for Inspector General David Williams wrote, adding, “Security controls … are not sufficient to protect the confidentiality and integrity of customer information.” [The Washington Post] See also: [Kmart, Dairy Queen see payment-card data stolen] [Oregon Employment Dept. Reports Breach]

US – Senators Want Answers on USIS Breach

Senate Homeland Security and Governmental Affairs Committee leaders have sent letters to the Obama administration as well as the Department of Homeland Security (DHS), the Office of Management and Budget and the Office of Personnel Management seeking answers to a breach that hit the U.S. Investigations Services (USIS) in August. The breach likely compromised the personal information of approximately 25,000 government employees. Committee Chairman Tom Carper (D-DE) and ranking member Tom Coburn (R-OK) wrote in the letter to DHS Secretary Jeh Johnson that the breach raises significant concerns, noting, “If you determine that additional tools and authorities are needed to further improve federal network security, we urge you to inform the committee as soon as possible.” [GovInfoSecurity]

CA – Alberta Health Services Unsure What Happened to Information Lost in a Privacy Breach

Officials don’t know what happened to the information gleaned from 19 months of a breach of patient records by an Alberta Children’s Hospital staffer targeted a wide variety of victims, including high-profile people. And though Alberta Health Services says the low-level administrator’s access to 247 patients’ records hasn’t impacted care of the integrity of the data, the agency’s president Valerie Kaminski said it’s not clear what was done with the information. “We don’t know ─ we asked that question and the information they gave us was very non-descript,” said Kaminski. “There was no evidence they made copies at all.” The former staffer, who was fired, had access to patient history, contact information, date of birth and family information on two different databases from January of 2013 to August 2014 on at least one of the databases. It went beyond children’s medical information, extending to nurses, physicians and “high profile people across the community, there were a large number of adult patients,” said Kaminski. [Source] [Alberta Children’s Hospital patient privacy breach prompts apology] See also: [The Alberta Court Of Appeal Considers Confidential Information, Settlement Privilege And The Freedom Of Information And Protection Of Privacy Act]

WW – Hartzog: Snapchat Should Not Blame Users for Latest Leak

Prof. Woodrow Hartzog writes that Snapchat, in its message to consumers after a hack of images stored on a third-party server, should not have blamed users for the incident. “Snappchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use,” the company wrote. Hartzog notes that such rules are “buried in the fine print” and that two lessons can be drawn from the incident and response: Businesses need to educate their users about security risks in plain language, and technologies that promise to protect privacy “must provide better data security than traditional social media.” Meanwhile, Gizmodo writes new app Vent is a “disaster waiting to happen,” and The Globe and Mail reports anonymous app Shadow creates a false expectation of privacy. [Wired]

US – AT&T Employee Fired for Accessing Customer Data

AT&T has fired an employee for allegedly accessing customers’ personal data, including driver’s license and Social Security numbers, as well as customer metadata about calls made. AT&T notified the affected customers by letter. [The Register] [ZD Net] [Net Security] [Text of Letter]

WW – Cybersecurity Awareness Month News Roundup

In conjunction with cybersecurity awareness month, the U.S. FTC has released online shopping tips in a short YouTube clip, and in an effort to help organizations better understand the data breach landscape, Experian has released its 2014-2015 Data Breach Response Guide. Meanwhile, in a survey by UK-based telecoms company BT, 26% of the 640 IT decision-makers said their business had experienced a data breach incident where their cloud provider was partly at fault, and Help Net Security reports the majority of IT decision-makers said they aren’t confident data would be secure if outsiders penetrated their network’s perimeter security. Separately, EBay has moved to dismiss a proposed class-action over a data breach, and software company Netwrix has recommended three steps Home Depot could have taken to prevent its breach. In healthcare, there’s been a “substantial spike” in the number of major data breaches posted on the U.S. Health and Human Services “wall of shame” since the Health Insurance Portability and Accountability Act Omnibus Rule came into play a year ago.

WW – Interpol Says “Around 100” Cyber Kingpins Worldwide

The latest business to announce a credit and debit card breach is the U.S.-based ice cream and restaurant chain Dairy Queen. The company said 395 of its stores were affected. In a similar story, U.S. investigators believe the hackers that breached JP Morgan are the same ones who breached Fidelity Investments. The slew of cyber-attacks are prompting some companies to consider going on the offensive by “hacking back” or going on “active defense.” Trend Micro’s chief cybersecurity officer said, “Active defense is happening. It’s not mainstream. It’s very selective.” According to Europol’s Cybercrime Center, there are only “around 100” cybercriminal kingpins worldwide. [The Washington Post]

Identity Issues

SK – Wave of Identity Thefts Forces South Korea to Overhaul National ID System

After an avalanche of data breaches, South Korea’s national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars. The admission is an embarrassment for a society that prides itself on its high-tech skills and has some of the fastest Internet access. The issue came to a head after 20 million people including the president, Park Geun-hye, were victims of a data theft at three credit card companies. Park acknowledged in January change was needed and ordered a study of possible options. A decision is due later this year. Rebuilding the system and tightening security could take up to a decade, according to Kilnam Chon, a researcher known as the “Father of the Korean Internet” for his pioneering work in online technology in the 1980s. “The problems have grown to a point where finding a way to completely solve them looks unlikely,” said Chon. [Source] [SCMagazine] [The Register] See also: [BC: Pastafarian’s fight with ICBC comes to a boil]

US – Feds Say Agent Legally Impersonated Woman

The Justice Department says a federal agent had the right to impersonate a young woman online by creating a Facebook page in her name without her knowledge. The woman’s account was set up by a U.S. Drug Enforcement Administration special agent after she was arrested for allegedly being part of a drug ring. While she awaited trial, the agent set up the fake Facebook page, using her name and posting photos from her seized cell phone, to communicate with at least one wanted fugitive. The woman is suing the agent for invading her privacy. The Justice Department is looking into the matter. [Buzzfeed] [US: Government Set Up A Fake Facebook Page In This Woman’s Name]

Internet / WWW

WW – International Privacy Conference Releases Declaration, Resolutions

As the 36th Annual International Conference of Data Protection and Privacy Commissioners winds down in Mauritius, leaders from the conference have released a declaration on the Internet of Things (IoT) as well as resolutions on accreditation, big data, international cooperation and privacy in the digital age. In their IoT declaration, Executive Committee Chairman Jacob Kohnstamm and Mauritius Data Protection Office Chairwoman Drudeisha Madhub conclude data collected from IoT devices should be considered personal data; IoT value is not only found in devices but in services; transparency will be key; local processing is needed to help bolster security; regulators will closely watch the IoT landscape; Privacy by Design should be “a key selling point,” and “a strong, active and constructive debate” is needed between all stakeholders. [Source] Notable private sector Interviews: [Google Chairman: ‘We’re Going to End Up Breaking the Internet’ – Eric Schmidt said the Internet as we know it will fail unless governments reform their surveillance practices] [Privacy as a Selling Point: An Interview with Siemens’ Rob Gratchner] [Microsoft’s Lynch Talks Privacy and Trust, Then and Now] [Protecting Privacy In The Digital Age: Mikko Hyppönen Answers Your Questions] [Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google]

WW – UN Report Says Bulk Surveillance Threatens International Law

A 22-page report to the UN General Assembly claims that mass surveillance “is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by” the UN’s International Covenant on Civil and Political Rights. The study was written by Ben Emmerson, UN special rapporteur on counterterrorism. He said spy programs implemented by the U.S. NSA and the UK GCHQ, for example, “pose a direct and ongoing challenge to an established norm of international law,” and such programs undermine “the right to privacy of communications on the Internet altogether.” The report follows an equally critical analysis from UN High Commissioner for Human Rights Navi Pillay released in July. [The Guardian] [OHCHR]

WW – IPEN Hears Top Risks, Focuses on Privacy-Friendly Tech

In a time when mass surveillance is being supported by the Internet and Western governments in the effort to fight terrorism, and “insecure protocols and the lack of technical measures to protect data in current Internet technology make it easy to circumvent privacy,” Florian Stahl writes on the efforts of the Internet Privacy Engineering Network (IPEN), recently founded by the European Data Protection Supervisor. The IPEN, which held its first workshop in Berlin, Germany, late last month, is working “to support the development of privacy-friendly technologies and raise awareness,” Stahl writes, detailing the Open Web Application Security Project’s presentation of its top 10 privacy risks at the workshop. [Privacy Perspectives] [IPEN website] [IPEN Press Release]

WW – HTTPA? Researchers Work on Accountability Internet Protocol

Two MIT Computer Science and Artificial Intelligence Lab researchers are developing a new Internet protocol called HTTPA, or HTTP with Accountability. Instead of keeping data secret, Oshani Seneviratne and Lalana Kagal are building a protocol that allows data owners to attach conditions for the data’s use, with a way of auditing whether such conditions are being met. If users want to audit their data, the protocol will identify everyone who accessed the data and what was done with it. Since there are potentially hundreds of resources on a given page, Seneviratne explained, “HTTPA would just be applied to resources that need protection … You don’t want to protect every resource, just those that contain sensitive information or protected content.” [CSO Online]

Law Enforcement

NZ – Mobile Fingerprint Scanners Coming to Alcohol Checkpoints

Thousands of motorists suspected of drink-driving could soon be hauled into booze buses [a mobile police drug and alcohol checkpoint] to have their fingerprints taken and stored on a police database. The Booze Bus Biometrics system will enable officers to check the identities of huge numbers of people more quickly and easily than by taking them to the nearest police station. But a leading civil rights lawyer says expanding the tools available for storing people’s personal data is a further step in a creeping “trend of net-widening”. [Source] See also: [Toronto: 18 Officers Probed Toronto Crack House Break-in]

US – Crime-Fighting Surveillance Planes Provoke Privacy Controversy

A US company has developed a way to monitor entire neighbourhoods, using a technology originally developed for the recent wars in Iraq and Afghanistan. But while police forces are excited by the prospect of getting access to the tech, privacy campaigners see it as a threat to citizens’ constitutional rights. By flying a special manned plane over a city, Persistent Surveillance Systems (PSS) says it is able to view and record everything that is happening on the ground across a 25 sq mile (64.7 sq km) area. Rigged with 12 high-resolution cameras, a spliced together picture of a sort of “live Google Earth” map is beamed down from the aircraft to analysts. “The resolution is not high enough to show who someone is, people appear as merely one grey pixel on a screen,” Ross McNutt, a retired United States Air Force veteran and PSS president, told BBC Click. But that one pixel is enough for the person’s movements to be accurately tracked for the time the plane is in the air – up to six hours. When PSS flew its planes over Compton, California, in early 2012 over nine days, it recorded murders, robberies and many other crimes. By matching the time frames of the PSS recordings with on-the-ground testimony, analysts and police were able to see the moment when the crime was committed. They were then able to track where the suspect was before and after the moment of crime. But PSS doesn’t just see the murders and the criminals – its cameras look down onto the streets and backyards where everyday activities happen as well. The firm’s insistence that the close-ups it obtains are low resolution are not enough to placate opponents who see its tech as a threat to Americans’ liberties. [Source] [BBC News] See also: [Police to Receive X-Ray Glasses, Identify Suspects Through Walls]

US – Surveillance Drone Taken Out By Privacy Protecting Hawk

A recent video seems to prove that it’s not just humans that are annoyed with the excessive surveillance these days. While capturing video with a drone, the operator was a bit more than shocked to see his RC aircraft get taken out by an apparent privacy protecting hawk. The incident began when Christopher Schmidt decided to strap a go pro camera to a Quad Copter to take some video around Magazine Beach Park in Cambridge, Massachusetts. During his filming, he appears to have ticked off a hawk who decided to let the drone know who was boss. Sending the drone hurling toward the ground, the Google engineer said the hawk decided he wasn’t happy with his drone invading the airspace and knocked it to the ground, according to Fox 5. Schmidt goes on to write, “As far as I could tell, the hawk came out unscathed, and having defeated his prey, was happy to retreat. (As soon as he flew at me, I throttled down the props to try to minimize any harm to the bird.) The quadcopter came out unscathed as well.” Last week we reported on a man using his shotgun to take out a similar drone – do you think people will start getting the message? [Mad World News]

Location

WW – Grindr Shuts Off Proximity Tracker in Egypt; Privacy Art Exhibit Cancelled

Dutch artist Dries Verhoeven has been forced to cancel his “non-sexual social media-based” art exhibit after privacy concerns were raised. The Berlin-based social-media experiment used the sex-dating app Grindr to lure users to the installation site in order to project the user comments in a public setting. Grindr said, “While Grindr supports the arts, what Dries Verhoeven is doing by luring Grindr users under false pretenses is entrapment. This is an invasion of user privacy and a potential safety issue.” Meanwhile, Egyptian officials have been arresting individuals believed to be homosexual men, prompting Grindr to disable its proximity feature and send a message to users to be “as savvy as you can and to be very careful.” [Hyperallergic] Meanwhie, Venture Capitalist Peter Sims alleges his location was tracked by Uber during a Chicago event. “After learning this,” he wrote, “I expressed my outrage … that the company would use my information and identity to promote its services without my permission.” See also: [US: ‘God View’: Uber Allegedly Stalked Users For Party-Goers’ Viewing Pleasure]

Online Privacy

WW – Adobe Collects eReader Data and Transmits it in Cleartext

Adobe has acknowledged that its Digital Editions eBook reader gathers information about users’ reading histories and sends the data back to the company unencrypted. Adobe maintains that the feature is designed to prevent piracy. The company says the information it collects, which includes user, device and app IDs; IP addresses; duration of reading; and percentage of book read is data that could be demanded by publishers. Adobe now says it plans to issue an update to the software to address the cleartext data transmission. [NBCNews] [Ars Technica] [The Register] [The Register] [The Digital Reader] A tip from a hacker prompted a journalist to use a network tracking app to discover Adobe Digital Editions 4 was “gathering data on the ebooks that have been opened, which pages were read, and in what order.”[GigaOm] See also: [New Flaw: POODLE Puts Browsers at Risk]

UK – Your Colleagues Pose Bigger Threat to Your Privacy than Hackers

The threat from hackers is not nearly as big a problem as the threat posed by your own colleagues, a privacy report has revealed. According to research conducted at the Central European University’s Centre for Media, Data and Society, over half of all privacy breaches in Europe over the last decade are inside jobs, rather than the work of external hackers. The team from CEU conducted the study by examining 350 privacy breaches that took place across ten years. Focussing on the 229 incidents that directly involved the privacy of European citizens, the primary conclusion of the study was that organisational insiders are more to blame for the loss of private information than those attempting to maliciously access information from elsewhere. [Source] [Report: Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005‐2014]

WW – Even Those Who Opt Out Are Part of the Database

Companies like Google and Facebook may be learning about those who don’t use their services. Researchers from Switzerland’s ETH Zurich University studied publicly available data archived from social network Friendster and found that if the company had used certain state-of-the-art prediction algorithms, it could gather sensitive information, such as sexual orientation, about even nonmembers. Meanwhile, Natasha Singer’s column in The New York Times explores how her birthday-information she doesn’t give out online-appeared on a site that lists reporter birthdays. Another Times article looks at the tension inherent in humans’ wishes for privacy and instincts to share. [WIRED] See also: [‘Words With Friends’ Addicts Asked Zynga What It Knew About Them And Got More Than Expected]

EU – Justice Ministers Worry RTBF Is Leading to “Mass Data Erasure”

For the first time, EU justice ministers have “sounded out their political views on the balance between the right to be forgotten and the right to know.” Meeting in Luxembourg, the ministers expressed concern that Google’s compliance with a ruling from the EU’s top court in May requiring it to delete certain search links upon request could lead to a mass erasure of data, the report states. Austrian Justice Minister Wolfgang Brandstetter said, “We can’t leave it up to search engines to decide on the right balance between freedom of expression and a right to be forgotten.” Google’s Eric Schmidt said it would have been helpful if the court was clearer on the details of which delete requests should be honored. [Bloomberg] See also: [Google Notifies NYT of Story Link Removal, Citing RTBF] and [The Economist: Google Continues To Grapple with Right To Be Forgotten Ruling]

WW – Beacon Trial Shows Difficult Balance between Privacy and Personalization

Mothercare, a UK-based baby products retailer, has said it will trial beacons at the beginning of 2015. The goal is to give customers a better in-store experience. Harpinder Singh, a mobile commerce manager for the company, said, “There’s definitely an opportunity here, and because it’s so low-cost, we’re definitely going to a trial at the start of next year,” but added, “it’s a little scary how much you can do” with the technology. Steven Skinner of business technology firm Cognizant said customers need to be reassured their privacy won’t be compromised. “To overcome this, retailers need to educate customers about the benefits this technology offers them and demonstrate the unique benefits they would not get otherwise.” [Computing]

Other Jurisdictions

JP – Court Calls on Google for Right to Be Forgotten

A Japanese court has ordered Google to remove various Internet search results related to a specific Japanese citizen, saying it violates the man’s privacy. The Tokyo District Court issued an injunction ordering Google to delete 120 out of 230 search results that hinted the man was involved with criminal activity, the report states. The man originally filed for the injunction in June, claiming the results endangered his life. His lawyer said, “This is good news for those who feel their lives are threatened and are sickened physically and psychologically by Google’s search results.” [The Wall Street Journal] Minister Yuko Obuchi has announced that Japan’s Ministry of Economy, Trade and Industry will amend its guidelines implementing the Personal Information Protection Law.

HK – Privacy Commissioner Issues Guidance “Banks Must Consider”

Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider. That’s after his office handled 373 data protection complaints about banks in 2013-2014, up from 198 cases the year before. Banks have “been among the top three private-sector organizations being complained about,” Chiang said. The guidance includes instructions on marketing activities, the collection of personal data, cookies and data-retention policies, the report states. “Privacy-assuring banks will enjoy enhanced customer trust and loyalty, thus creating a win-win-win for the customers, their businesses and the banking industry as a whole,” the guide said. [Out-Law.com] See also: A Russian regulator has sent notifications to Facebook, Google and Twitter saying they must register as “organizers of information,” meaning they must store user data locally.

Privacy (US)

US – Following Largest Breach Yet, Obama Now to be Briefed on Cyber-Attacks

Following the JP Morgan Chase breach, “the largest data breach ever,” President Barack Obama will now receive regular updates on foreign cyber-attacks. The breach “now ranks alongside Islamic State group news as a national security concern,” the report states, noting there has been speculation that the Russian government might have supported the attack. Meanwhile, The New York Times reports that, in the coming year, banks in the U.S. are likely to replace debit or credit cards with versions that have tiny computer chips in them in an effort to make shopping at brick-and-mortar stores more safe. [International Business Times] See also: [Chase Breach: Fear of Phishing]

US – Privacy advocates sue Pentagon over Internet voting test results

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the Pentagon under the Freedom of Information Act over online voting experiments. EPIC’s Ginger McCall said, “Voting is an integral part of our democratic system, and it is imperative that the public have information about whether or not e-voting systems are really secure and reliable before they are used or more money is spent on their acquisition.” Meanwhile, a privacy activist is suing the Chicago Police Department for monitoring cell phones. [The Washington Post]

US – Cartoon Network Suit Dismissed; Google Seeks the Same

Developments in two class-action lawsuits. In California, Google has asked a federal judge to dismiss an amended putative class-action that alleges “the tech giant breached user contracts by giving consumer data from Google Wallet users to third-party app developers, saying Tuesday that there is no significant difference from the dismissed, original complaint.” And in Georgia, a federal judge has dismissed a putative class-action alleging that Cartoon Network’s Android app violated the Video Privacy Protection Act and accusing the network “of disclosing its mobile application users’ personal information without consent.” The judge ruled “the shared information wasn’t personal enough,” the report states. [Law360]

US – A Look at Recent Privacy Class-Action Developments

Google will enter into mediation with consumers who alleged the company disclosed their contact information with third parties after various apps were purchased and downloaded. A federal judge approved the order, stating the mediation must begin by 6 February 2015. Meanwhile, eBay has filed a motion to dismiss a class-action that alleges consumer injury sustained after the company’s network was breached in a cyber-attack. Late last week, a California judge approved Vendini’s $3 million class-action settlement in which the ticket-seller was accused of compromising user data when its servers were breached. And Travelers Indemnity has filed a federal lawsuit seeking a declaration that it does not have to defend or indemnify P.F. Chang’s data breach litigation, according to a Law360 report [Courthouse News Service]

US – Aaron’s to Pay $28.4M; $14M comScore Settlement Finalized

California Attorney General Kamala Harris announced the nation’s second largest rent-to-own chain, Aaron’s, has agreed to pay $28.4 million to settle violations of state consumer protection and privacy laws. The company settled with the Federal Trade Commission last year. “Aaron’s concealed its illegal privacy and business practices from customers in a deceptive attempt to avoid California’s robust consumer protection laws and increase its profits,” Harris said. A company spokeswoman said Aaron’s admitted to no wrongdoing or liability. In related news, a federal judge approved a $14 million class-action settlement with comScore, and the Digital Trust Foundation—created out of the Facebook Beacon lawsuit—is giving away more than $6 million to projects that promote online privacy, safety and security. [Source] [Source]

US – Savage Named Chief Privacy Officer of ONC

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has named Lucia Savage as its new chief privacy officer. Savage is currently a senior associate general counsel at UnitedHealthcare, where she runs a team that works with large data transactions with health information exchanges, transparency initiatives and other data-driven healthcare innovation projects, the report states. The ONC’s Karen DeSalvo said Savage “brings to our team a set of rich experiences at the intersection of health information, privacy and modernizing the healthcare delivery system.” She is set to start on October 20. [Heath IT Outcomes]

US – Snowden: Supreme Court Will Strike Down NSA Programs

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.” He said “there is no excuse for inaction” and that reforms in the bill “are strongly supported by the technology industry, the privacy and civil liberties community and national security professionals in the intelligence community.” Last week, Sen. Ron Wyden (D-0R) and leaders from the tech industry expressed similar calls for surveillance reform. Edward Snowden is “confident” that the U.S. Supreme Court will find mass surveillance programs illegal. Plus, Forbes reviews “Citizenfour,” a documentary about Snowden. [The Hill]

US – NBA Union Wants to Ensure Privacy Is Protected

The National Basketball Players Association (NBPA) is raising concerns about increased tracking and data collection of players through sleep trackers, off-court movement monitors and other mobile sensors that determine players’ health and improve performance. According to the report, the NBPA was not aware of the rapid growth of Internet-of-Things technology and other biometric advances and, thus, had not developed an official position on the data collection. “If the league and teams want to discuss potentially invasive testing procedures that relate to performance, they’re free to start that dialogue,” said NBPA Counsel Ron Klempner, adding, “Obviously, we’d have serious privacy and other fairness concerns on behalf of the players.” Security of the collected data is also mentioned as a concern, the report states. [ESPN]

US – FPF, SIIA Issue Student Privacy Pledge

The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) have announced a pledge to protect student data. The FPF and SIIA, together with school service providers, educator organizations and other stakeholders including Reps. Jared Polis (D-CO) and Luke Messer (R-IN), have come up with a pledge that includes a promise not to sell student data, behaviorally target students or use student data without authorization. Organizations that have made the pledge include Microsoft, Houghton Mifflin Harcourt and the National Parent-Teacher Association. According to Politico , some privacy advocates have raised concerns about organizations that have yet to sign the pledge, including Apple, Google, Pearson and Khan Academy. [Source] See also: [Toronto school board sets higher targets for students based on race, sexual orientation]

Privacy Enhancing Technologies (PETs)

WW – Money, Interest Continue to Pour in for Privacy-Enhancing Tech

In the blog post “You are not your browser history,” data artist Jer Thorpe discusses our “online doppelgängers” and a new browser extension called Floodwatch. Developed in conjunction with Ellery Royston, Ian Ardouin-Fumat and Ashkan Soltani, Floodwatch allows users to “easily track and analyze their browser-based ad histories.” Meanwhile, Frankly, a mobile start-up that provides self-destructing messaging apps, has secured $12.8 million in funding bringing total funding up to $22 million since its founding. USA Today reports on Authy, a free app that places two-factor authentication on smartphones, and a Fast Company column discusses the case for making encryption the default—a topic featured in a recent Privacy Perspectives post. Plus, Facebook is reportedly working on an app that lets users remain anonymous.

EU – German Start-Up Sees 400% User Growth, Secures $3.2 Million

ZenMate is a Berlin-based start-up that provides users with secure, encrypted access to any website, from anywhere, via a Virtual Private Network-style connection. The start-up secured Series A funding in the amount of $3.2 million this week. Its registered users have grown to more than five million, with a 400% increase in the last six months. Its key markets are Germany, the U.S. and the UK, “and growth in those markets reflects the fact that consumers are growing increasingly concerned about personal data being harvested from web histories by ad firms and that privacy is now a global issue that could have a major impact on e-commerce,” the report states. [Forbes]

WW – New Internet Security System to Revolutionise User Privacy

Researchers have developed a new system that protects Internet users’ privacy while increasing the flexibility for web developers to build applications that combine data from different sites, thus dramatically improving the safety of surfing the internet. According to the researchers at UCL, Stanford Engineering, Google, Chalmers and Mozilla Research, the system, named Confinement with Origin Web Labels (COWL), works with Mozilla’s Firefox and the open-source version of Google’s Chrome web browsers and prevents malicious code in a web site from leaking sensitive information to unauthorized parties. The system also allows code in a web site to display content drawn from multiple web sites – an essential function for modern, feature-rich web applications. The researchers show that the system provides strong security without perceptibly slowing the loading speed of web pages and will be freely available for download and use on October 15 at http://cowl.ws.[Source]

WW – Privacy Products Continue to Proliferate

The “Pretty Easy Privacy” project is a user interface project currently crowdfunding on Indiegogo that aims to make standards like PGP more accessible to ordinary people by removing the need to understand key management. Meanwhile, researchers from Stanford, Google, Mozilla and other firms have built a new system that protects Internet users’ privacy while “increasing the flexibility for web developers to build web applications that combine data from different websites.” And Syme, a social network that gained attention last year for its strong privacy features, has quietly disappeared. [GigaOm]

US – One Firm’s Self-Imposed Privacy-Protective Process: Costly but Worth It

Ad-tech firm 4Info’s self-imposed rigorous process to ensure the data it gathers, shares and uses to aim mobile ads at consumers is protected and “near-impossible to connect to an individual.” The company incorporated Privacy by Design and reports it spends at least 30% more to store data in a privacy-safe way than it would otherwise. It does that by “spreading data points associated with a specific user ID across several servers located in multiple physical locations so it cannot be compiled easily into one user profile by outside systems or hackers,” the report states. [Advertising Age]

WW – Messaging App Launches Korean Version to Cash in on Privacy Fears

Privately owned German messaging app Telegram released a Korean-language version on Tuesday to capitalize on a surge in demand from users wary of local apps such as KakaoTalk after the government said it would boost cyber surveillance. Telegram, which advertises its app with the tagline “taking back our right to privacy”, does not have any servers in South Korea, where prosecutors last month launched an cyber monitoring campaign after complaints by President Park Geun-hye. Market research firm Ranky.com said KakaoTalk had in the last week lost 400,000 users, or about 2 percent, of its 35 million or so customers in South Korea. During the same period, Telegram was downloaded by one million Koreans. [Source]

US – Twitter Investing $10 Million in MIT Lab

Twitter is investing $10 million in a lab at the Massachusetts Institute of Technology (MIT) to create platforms for online collaboration between users on civic and political issues. MIT Media Lab’s Laboratory for Social Machines (LSM) will get access to Twitter’s real-time, public news feed and its archives going back to the very first tweet, the report states. The lab will research the potential of social networks “to remake the public sphere.” Additionally, the investment will be spread over the next five years, and the “LSM will have operational and academic independence in its research,” the report states. [Computerworld]

RFID

WW – Protect Your Tappable Credit Cards and Personal ID from Wireless RFID Pickpocketing

RFID (Radio Frequency Identification) chip technology has become embedded in passports, health cards, drivers licenses, grocery store dongles, gas station dongles, debit cards and credit cards in many countries to help us get serviced faster by tapping/waving them when we are buying a coffee, gas or crossing a border. All of the information stored in the RFID chip of our credit cards and personal IDs can easily be sniffed and stolen wirelessly unless we keep them in a RFID signal blocking protective sleeve, wallet, purse or bag. Your RFID enabled cards and IDs can get scanned from 4.5 metres away. Here are the manufacturers that list products with RFID signal blocking capabilities:

Security

US – NIST Releases Final Smart Grid Doc, Revised Guidelines on Privacy

The National Institute of Standards and Technology (NIST) has released its third and final version of a document that aims “to help industry transform the more-than-century-old U.S. electrical system into an advanced, interoperable smart grid.” NIST has released version 3.0 of its “Framework and Roadmap for Smart Grid Interoperability Standards,” two years after its second version was published. NIST also published a revision to its “Guidelines for Smart Grid Cybersecurity,” which is an update to the 2010 version. The revision covers regulatory changes involving privacy, among other updates. [NIST Press Release] [FierceGovernmentIT] [Full Story] See also: [Ericsson Buys Bankrupt SmartGrid Tech Company]

US – IT Security Workforce Reaches New High

As IT security employment reaches a record high in the United States, the workforce remains overwhelmingly white and male. And that hasn’t changed in years. Here’s a look at the latest employment numbers from the federal government. “Information security analyst” is the only IT security occupation classification BLS tracks. An annualized 61,000 individuals considered themselves information security analysts during the third quarter of 2014. That includes 59,800 employed and 1,300 unemployed, resulting in an annualized unemployment rate of 2%. Economists generally consider an unemployment rate below 3% as full employment, meaning that a low unemployment rate denotes churn in the marketplaces, not people desperate for a job. During the same quarter in 2013, an annualized 53,500 individuals called themselves information security analysts, with 51,100 employed and 2,000 jobless, and an annualized unemployment rate of 3.7%. Those statistics translate into a 14% gain in the information security analysts’ workforce in just a year, reflecting the growing demand for IT security skills by businesses and governments. [Source]

WW – Researchers Uncover Voice-Activation Flaws

Researchers warn that voice-activated smartphones and other devices can be a significant security risk as some systems responded just as well to fake voices as they did to the voice of the owner. Security firm AVG says this means hackers could use this flaw to send “bogus messages or compromise gadgets in the future.” “Utilizing voice activation technology in the Internet of Things without authenticating the source of the voice is like leaving your computer without a password,” noted AVG Chief Technology Officer Yuval Ben-Itzhak, adding, “everyone can use it and send commands,” said. [BBC News]

WW – Dropbox Says Account Credentials Taken from Other Services

Several Pastebin posts claim to contain hundreds of sets of login credentials for Dropbox. A note accompanying the posts claims that credentials for nearly seven million accounts were compromised. Some sets have been confirmed as authentic. Dropbox appears to have reset access credentials for all accounts in the posts. Dropbox has issued a statement saying that they were not compromised, and the posted information was taken from other services. [Ars Technica]

WW – Malicious Android App Steals Data

An Android app that appears to be a simple game is actually malware capable of recording audio with infected devices, as well as stealing messages and device data, gaining root privileges. Gomal may be spreading through unofficial app stores. The malware will steal email from the Good for Enterprise app. Good for Enterprise developer, Good Technology, says that Gomal is a proof-of-concept app presented at Black Hat 2013. [SC Magazine] See also: [HP Will Revoke Certificate Inadvertently Used to Sign Malware]

Smart Cards

US – White House Issues Executive Order to Use Chip and Pin

The U.S. President today signed a new Executive Order directing the government to lead by example in securing transactions and sensitive data. Multiple initiatives are included. The most important is an example of the government leading by example to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit and debit cards. [White House]

Surveillance

US – FBI Director Acknowledges Some Warrantless Data Collection, Calls for Updated Wiretapping Laws

FBI Director James Comey has admitted that in some cases, his agency does collect information without a warrant. Speaking at the Brookings Institution, Comey qualified his statement on television news magazine 60 Minutes earlier in the week that the FBI never conducts surveillance without first obtaining a court order. Comey noted that the two types of cases in which the FBI gathers information without a warrant are when consent has been obtained and when conducting surveillance of foreign suspects under Section 702 of the Foreign Intelligence Surveillance Act. Comey also spoke of his concerns that stronger encryption on new iPhones and Android devices will make it more difficult to pursue investigations. He said that the government needs wiretapping powers because CALEA is outdated and has not kept up with changing technology. He did acknowledge that any provision that allows law enforcement to gain access to communications could also be abused by criminals. [NextGov] [NextGov] [DarkReading] Sen. Ron Wyden (D-OR) held a roundtable in a Palo Alto, CA, high school last week with some of the tech industry’s most influential leaders in what he referred to as “one of the first times Congress has focused squarely on the economic impact of the overreach of government intelligence.”

US – New FISMA Regulations Allow DHS to Scan Some Civilian Networks

The US Office of Management and Budget (OMB) is granting the Department of Homeland Security (DHS) authority to scan certain civilian networks for indications of threats. The issue came up after DHS had to get permission from agencies to scan for Heartbleed, which delayed mitigating that threat. New rules for compliance with the Federal Information Security Management Act (FISMA) require the agencies to agree to the DHS scanning. [Federal News Radio] [NextGov] [US – Audio Recording Capability in 2015 Corvettes Could Violate Privacy and Three New Jersey lawmakers are sponsoring bills to limit access to vehicle black box event recorders.

US – Tech Companies Say NSA Harms Business; Privacy Office Releases Report

The National Security Agency (NSA) privacy office has released a report on the privacy and civil liberties protections under Executive Order 12333, which dates back to 1981 and allows the agency to keep the contents of U.S. citizens’ communications if they are captured “incidentally” overseas. The office said there are multiple privacy safeguards in place. The ACLU has criticized the lack of judicial and congressional oversight. U.S.-based technology companies—including Google, Facebook and Dropbox—are banding together in a roundtable discussion with Sen. Ron Wyden (D-OR) to discuss how foreign companies are using the NSA revelations to gain a competitive advantage over U.S. business. [PC World] Facebook and other tech companies can appeal “bulk warrant” requests from U.S. intelligence agencies.

CA – Twitter Sues U.S. Government Over National Security Data

Twitter is suing the U.S. government in an effort to loosen restrictions on what the social media giant can say publicly about the national security-related requests it receives for user data. The company filed a lawsuit against the Justice Department on Monday in a federal court in northern California, arguing that its First Amendment rights are being violated by restrictions that forbid the disclosure of how many national security letters and Foreign Intelligence Surveillance Act court orders it receives — even if that number is zero. Twitter vice president Ben Lee wrote in a blog post that it’s suing in an effort to publish the full version of a “transparency report” prepared this year that includes those details. Critics of the U.S. government’s secrecy surrounding its national security surveillance activities lauded Twitter’s move. Jameel Jaffer, the ACLU’s deputy legal director, said “challenging this tangled web of secrecy rules and gag orders” was the right move, and he urged other tech firms to follow Twitter’s lead. “If these laws prohibit Twitter from disclosing basic information about government surveillance, then these laws violate the First Amendment,” Jaffer said. “The Constitution doesn’t permit the government to impose so broad a prohibition on the publication of truthful speech about government conduct.” [Source] [Source]

WW – MoFo Launches New Drone Practice Group

Morrison & Foerster has launched a new practice group that collects “the capabilities of attorneys from its aviation, privacy, environmental, product liability and other practices to tackle the challenges presented by the growing use of commercial drones by U.S. companies and others.” The group will include “more than 25 attorneys boasting a range of practice specialties,” the report states. [Law360] Meanwhile, Amazon has announced it is seeking an attorney to fill the corporate counsel role at its Prime Air delivery system , which is currently being developed to “get packages into customers’ hands in 30 minutes or less using unmanned aerial systems.”

US – Public Beacons Make Appearance in NYC, Quickly Taken Down

Beacons—small radio transmitters that can push advertisements to smartphones—were placed in New York City phone booths. Within hours of the report, City Hall ordered Titan, the company that controls the phone booth ad space, to remove the devices. City Hall’s Phil Walzak said, “While the beacons Titan installed in some of its phones for testing purposes are incapable of receiving or collecting any personally identifiable information, we have asked Titan to remove them from the their phones.” Some are concerned beacons can be used to track the movement of users. [Buzzfeed] [Buzzfeed] [Polonetsky commentary]

HK – Hong Kong Protests: China May Be Spying With Smartphone Apps

The Chinese government might be using smartphone apps to spy on pro-democracy protesters in Hong Kong, a U.S. security firm said. The applications are disguised as tools created by activists, said the firm, Lacoon Mobile Security. It said that once downloaded, they give an outsider access to the phone’s address book, call logs and other information. The identities of victims and details of the servers used “lead us to believe that the Chinese government are behind the attack,” said a Lacoon statement. [Source]

WW – Good2Go: App Lets Users Give Consent but Raises Privacy Concerns

The new app, which helps two parties gauge their level of intoxication and practice affirmative consent, also requires users to log their phone numbers. This means the company gets information about who a user is hooking up with and when it happened. [Source] Meanwhile, the Justice Department has charged a Pakistani man for the sale of an app that could spy on unsuspecting users, a technology domestic violence activists have tried to stop.

US – Police-Boosted Parental Control App is a Privacy Mess, Says Report

The heavily distributed kid-monitoring software ComputerCop, which many police departments around the US gave to families for free, is doing far more harm than good, a new report by the Electronic Frontier Foundation alleges. An eight-month investigation by the group — a nonprofit that focuses on civil liberties in the digital realm — says ComputerCop, which allows parents and guardians of children to monitor a child’s computer and Internet use, is sketchy in its effectiveness and falls short on protecting user data from spying. The EFF report also alleges that ComputerCop engages in shady business practices to convince law enforcement officials to spend taxpayer money on the software. “Probably the biggest problem of all is that there are law enforcement agencies that aren’t actually paying attention to cybersecurity,” said Dave Maass, who wrote the EFF report. “Some of the biggest jurisdictions in the country are giving out software that makes kids less safe if they use it.” [Source]

Telecom / TV

PH – Philippines’ SIM Card Registration May Be Violation of Privacy

A GROUP of privacy and human rights experts has urged the government to rethink the proposal that requires registration of cellphone subscriber information module (SIM) cards, a move endorsed by the national police force and Malacañang. In a statement, Foundation for Media Alternatives Executive Director Al Alegre said that while addressing crimes is important, the government should rethink how “this policy could be a violation of our citizen’s right to privacy.” “SIM cards registered when it falls into the wrong hands can wrongfully implicate innocent citizens,” Nighat Dad of Digital Rights Foundation Pakistan was quoted in a statement by the Foundation for Media Alternatives. Mr. Dad also warned that precedents exist in his country, saying SIM card registration had become a “new tool for monitoring citizens.” Foundation for Media Alternatives said in a statement that “most countries in Asia don’t have data protection laws that could help secure the collected information from SIM card registration.” [Source] See also: An article in JDSupra explores the ramifications for businesses of California’s “Kill Switch” law.

US Government Programs

US – Government Says Accessing Foreign Servers Without a Warrant is Legal

The US Justice Department maintains that the government can break into servers outside the country without a warrant. The statement is part of a response to a motion from the legal team of alleged Silk Road mastermind Ross Ulbricht, which claimed that the government’s activity violated their client’s Fourth Amendment rights and that all information the government gathered when it accessed Silk Road servers should be suppressed. [Forbes] [WIRED] [Ars Technica]

US – Federal Agencies Seek Advice on Privacy Tech Spending

Several U.S. government agencies are looking for ways to bolster privacy protection by investigating privacy-enhancing technology, and the White House has launched a project to assess federal research in privacy technology. The deadline for comment is October 17 and includes in-house research by federal agencies as well as research conducted by federal contractors and recipients of federal grants. According to an information request published by the National Science Foundation last month, the National Privacy Research Strategy “will establish objectives and prioritization guidance for federally funded privacy research, provide a framework for coordinating research and development in privacy-enhancing technologies and encourage multidisciplinary research that recognizes the responsibilities of the government, the needs of society and enhances opportunities for innovation in the digital realm.” [E-Commerce Times]

WW – Create App-Specific Passwords for iCloud

Apple has long offered two-step verification for iCloud accounts, but extra barrier for gaining access to your account was limited. The change was prompted after the recent celebrity photo leak. An unfortunate incident spurred Apple to secure users iCloud accounts using both two-step verification and app-specific passwords. The change requiring app-specific passwords was put into place on October 1. For those unfamiliar, app-specific passwords are used when an app or service you’re attempting to sign into doesn’t support two-step verification. Instead of forcing you to enter your account password, you create a single-use app-specific password, eliminating any potential for your account to be compromised. Signing into your iCloud account in Outlook, using the Email app on an Android device or a third-party calendar app are all examples of when an app-specific password is going to be required. [Source]

UK – UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure

Police in the UK have reported that several mobile phones in their possession as evidence have been remotely wiped. The feature is designed to prevent owners’ data from being exposed if a phone is stolen. [BBC] [ZDNet]

US Legislation

US – White House Considering Options for Cyber Security Legislation

White House Cybersecurity Coordinator Michael Daniel says that instead of trying to push a single, comprehensive cyber security bill through the legislature, the administration will instead focus on supporting a series of smaller bills that will address the necessary issues. The administration would like to see legislation that paves the way for the Department of Homeland Security (DHS) to work more closely with private companies to protect their systems from attacks as well as clarifying how government agencies work together and with DHS. [USA Today] [Federal Times]

US – CA Gov Signs “Revenge Porn 2.0” While Publishers Sue to Stop Law in AZ

California Gov. Jerry Brown has signed an expanded “revenge porn” law that now includes “selfies.” Existing law made it a misdemeanor to post private or graphic photos with the intention of humiliating those pictured, and SB 1255 expands that to include private images regardless of who took the photo. Brown also signed AB 2643, which allows revenge porn victims to bring civil actions against those posting the images. In Arizona, a group including bookstores, publishers and the American Civil Liberties Union is suing to stop a so-called revenge porn law because it has no requirement for malicious intent and could include images taken in a “commercial or public setting.” See also: UK prosecutors are seeking prison time for revenge porn convictions. [The Sacramento Bee] Patricia Bailin writes about California’s new laws addressing a variety of privacy, security, breach notification and surveillance concerns. See also: California Gov. Jerry Brown has signed a bill that supporters say is the nation’s toughest law on protecting student privacyCalifornia has also passed an expanded “revenge porn” law that now includes “selfies.” Brown also signed a bill that would extend the expiration date of the state’s 25-year-old wiretap law from 2015 to 2020 and vetoed a bill that would have required police to obtain warrants for surveillance via drones. See also: [Anisa Salmi speaks out after nude photos leaked online] California has passed a law that requires schools to discard students’ public posts on social media within a year after a student leaves the district and notify parents that school officials are analyzing social media posts. California has passed a law making it illegal for paparazzi to use drones to take celebrity photographs, while Connecticut’s legislature is making another attempt at regulating drones,.

Workplace Privacy

WW – Working Papers Frame the Future of Labor

Data & Society’s Future of Labor project has rolled out working papers exploring the issues raised by the impact of technology on work. The papers, authored by Alex Rosenblat, Tamara Kneese and danah boyd, aim to frame the ways in which data-centric technology is affecting work to assist researchers, policy-makers and activists “who are trying to get a handle on future of work issues,” the report states. The working papers address topics including the automation of hiring via algorithms; the history of using track technologies to increase efficiency and measure productivity at the workplace, and the ways robots, drones and other intelligent systems are being integrated into the workforce “in both protective and problematic ways.” [Data & Society]

+++

16-30 September 2014

Biometrics

US – FBI Facial-Recognition Technology Achieves ‘Full Operational Capability’

The Next Generation Identification System, a controversial biometric database that relies heavily on facial-recognition technology, is now fully operational, the agency has announced. The program is designed to help law-enforcement officials identify criminal suspects, but it has endured repeated scrutiny from civil-liberties groups that say the database will endanger the privacy of everyday citizens guilty of no wrongdoing. The agency announced two new services that complete the database’s “operational capability.” The first, called Rap Back, allows officials to receive “ongoing status notifications” regarding the reported criminal history of people “in positions of trust, such as schoolteachers.” The other newly deployed service is the Interstate Photo System, a facial-recognition program that will allow law-enforcement agencies, including probation and parole officers, to cross-reference photographic images with criminal databases. Privacy groups have repeatedly deplored the FBI’s facial-recognition database as rife with troubling privacy implications. In June, the American Civil Liberties Union, the Electronic Frontier Foundation, and others warned that the facial-recognition program has “undergone a radical transformation” since it was last vetted for privacy concerns six years ago. The lack of oversight, they said, “raises serious privacy and civil-liberties concerns.” No federal laws limit the use of facial-recognition software, either by the private sector or the government. [Source]

CA – Fingerprint, Retina Scans Considered for Border Crossing Security

Canadian and U.S. security officials are considering new advanced technology features, such as fingerprinting and retina scanning, to improve the border crossing between Windsor, Ont., and Detroit. Delegates to the U.S. and Canada Border Conference in Detroit learned how security will change once the new cross-border bridge is constructed between west Windsor and Detroit. Officials spoke of eliminating paperwork, and using mobile apps, self-serving booths and fingerprinting and retina scans as some of the options. [CBC News]

Big Data

US – FTC Warns of Big Data Discrimination

At Monday’s FTC workshop on big data, Chairwoman Edith Ramirez acknowledged that while big data can bring enormous benefits to society, it “also has the capacity to reinforce disadvantages faced by low-income and underserved communities.” Computerworld reports that Commissioner Julie Brill also repeated calls for transparency rules for data brokers and advances in self-regulation by brokers. Participants had varying ideas on how to handle the issues surrounding big data, with some advocating for policy-makers to look at data “situationally” and others saying consumers should have control over their data. Meanwhile, consumer groups and others are urging the FTC to use tools other than its “enforcement hammer to address data security” as large-scale breaches continue. [Source]

US – KPMG Releases Big Data Whitepaper

Authored by Greg Bell; Doron Rotman and Mike VanDenBerg, consultancy KPMG has released a whitepaper on the privacy and security risks inherent in the use of big data. Navigating Big Data’s Privacy and Security Challenges first helps define big data, then sums up the existing regulatory landscape and identifies the five biggest challenges, ranging from re-identification risk to issues of notice and consent. Finally, the document offers a brief case study on the use of big data at a global telecom firm. [Source] See also: [IOT risk security management and the internet of things] and [The 5 V’s of Big Data…. adding in value] and [Here’s What You Need to Know About Big Data] and also: [Data miners peek into medicine cabinets]

Canada

CA – Supreme Court Ruling Not Stopping Police from Warrantless Data Requests

Law enforcement agencies are still making warrantless requests for telecom customers’ personal data months after a Supreme Court ruling appeared to shut down the practice. Police in Canada used to ask telecom companies to voluntarily hand over data on Canadian customers more than a million times per year. In June, the Supreme Court struck down this warrantless method as an invasion of privacy. But while the number of warrantless requests has dropped since the decision, they have not stopped. Key players, including the country’s largest police force and a major telecom, aren’t saying whether they still send or accept them. Another of Canada’s “big three” telecoms, Rogers, started demanding warrants for all requests after the June ruling, known as the Spencer decision. Even after this policy change, the company continues to receive warrantless requests, according to Ken Engelhart, vice-president of regulatory affairs at Rogers. [The Toronto Star] SEE ALSO: [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information] and [Canadian cellular carrier TELUS has finally released a transparency report. The company received 103,500 official requests in 2013. Bell is the only major Canadian telecom company left who hasn’t revealed the number of law enforcement or government requests they receive] AND [In Canada, you can send a letter to your ISP or cellular provider asking for all of the information they collect and retain about you. In theory. Motherboard wrote about the responses received] [Telecom firms handed customer info to Environment Canada, other federal agencies] and [Geist: Geist: Fed Web Snoops Don’t Have Their Stories Straight] [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information]

CA – Inquiry Shows Justice Department Sought Details for Foreign Countries

“The Justice Department asks Canadian technology companies for information on their subscribers dozens of times each year on behalf of foreign countries seeking records from wireless carriers, messaging services and even online dating sites.” That disclosure is according to the response to an inquiry by Liberal MP Irwin Cotler, who sought information from federal agencies “on when and how often they seek subscriber data from various telecom and service providers,” the report states. University of Ottawa Prof. Michael Geist is calling the results an “inconsistent mess,” the report states. The Justice Department’s International Assistance Group indicated between January 1, 2010, and May 22, 2014, “there have been approximately 250 requests made to various service providers including the country’s large telecommunications companies,” the report states. [Source] [Are You ‘Kind Of A Big Deal?’ Dating App For Elites Will Protect Your ‘Personal Brand’]

CA – Privacy Watchdog Investigating RCMP Data Collection

Canada’s privacy watchdog is investigating the RCMP’s warrantless collection of Canadians’ personal data. The Office of the Privacy Commissioner confirmed last week it is formally reviewing the police force’s collection of Canadians’ personal data from telecommunications companies. The findings are expected to be made public in the near future. The RCMP has never met with the privacy commissioner to ensure that its requests comply with privacy laws, according to a recent disclosure to Liberal MP Irwin Cotler. The investigation was launched after the former privacy commissioner, Chantal Bernier, revealed to the Star and the Halifax Chronicle Herald that nine telecoms were asked to turn over user data 1.2 million times in 2011. Authorities in Canada, including the RCMP, routinely sought “basic subscriber information” — names, telephone numbers, address and Internet protocol addresses — without having to obtain a warrant. Public Safety revealed last week that it has met with the privacy office numerous times to attempt to draft a new system of accountability for Canada’s police and spy agencies. “Those provisions would have required that law enforcement agencies and (the Canadian Security Intelligence Service) create written records of each request, conduct regular audits of practices, deliver these audits to responsible ministers, and be subject to review by relevant oversight bodies,” said Public Safety Canada in a disclosure to Cotler. The reform efforts have failed so far. All pieces of legislation that would have enacted the reforms have languished in Parliament and died on the order paper. As such, data requests remain shrouded in secrecy. With the exception of voluntary transparency reports from a handful of telecoms, there is no public disclosure on the volume of requests. Customers are not informed when their data is shared with police. Privacy Commissioner Daniel Therrien’s office also confirmed they have launched a review into private Canadians’ complaints about the warrantless access. Those complaints focus on the telecom companies themselves, for voluntarily turning information over to police. [Source] See also: [ON: Privacy commissioner intervening in Peterborough hospital privacy breach case]

CA – Alberta Commissioner Seeks PIPA Amendments

The Commissioner is asking the Government of Alberta to take action to amend the Personal Information Protection Act, pursuant to a decision by the Supreme Court of Canada (which ruled that the Act was unconditional, and gave the Alberta Legislature 12 months to bring it in line with the Canadian Charter of Rights and Freedoms). Unless the amendments are made by November 15, 2014, the Act will lapse, causing Alberta to lose the benefits of the law (including mandatory breach reporting and notification to affected individuals, and local enforcement without court involvement). [Source]

CA – Former Commissioner Radwanski Dead at 67

Former Canadian Privacy Commissioner George Radwanski died this past Thursday of a heart attack at the age of 67. Radwanski was the editor-in-chief of the Toronto Star before becoming involved in public policy in the 1980s. A speech and policy writer for Jean Chretien, the prime minister appointed Radwanski as federal privacy commissioner in 1996, where he served until resigning in 2003 amidst a parliamentary investigation for inappropriate spending. He was cleared of all charges of fraud in 2009, but the report notes that his career never recovered from the incident. “I think it was a nightmare for him being charged with anything, and being acquitted I think he thought, ‘Now I’ve been exonerated and now I can re-engage in public life,’ and he didn’t really get a chance to do that,” his son told reporters. [The Canadian Press]

Consumer

CA – Canadians Anticipate a More Connected World in 2025, But Have Concerns About Security And Privacy

McAfee Canada released findings from its first Safeguarding the Future of Digital Canada in 2025 study, which examines the thoughts and attitudes of more than 500 Canadian consumers concerning technology trends. The study looks at how technology relates to people’s homes, workplace, cars, mobile devices and online security. Canadian consumers believe that technology will significantly change their lifestyle by 2025, but feel hesitant in sharing personal information or adapting to these technologies in fear of their privacy being jeopardized. 66% of Canadians expressed concern over the expected state of cyber security in 2025. [Source]

US – Fitbit Denies Claims It Sells Personal Data

Fitbit, the maker of a popular line of wearable fitness-tracking devices, makes a statement saying it does not sell personal data to advertisers. This in response to a campaign by Senator Charles Schumer for a federal regulation to require companies like Fitbit to let customers prevent their data from being sold. [Wireless Week]

E-Government

US – Feds Hesitate Moving IT Services to the Cloud

Government agencies know the benefits of cloud computing and want to double its use. But when it comes to migrating applications to the cloud, the majority of feds — 89% — are hesitant to lose control of their IT services, according to a new MeriTalk report. For “Cloud Control: Moving to the Comfort Zone,” MeriTalk surveyed 153 government IT executives closely involved in their agencies’ cloud deployments, and found that only 44% of agencies have “mature” data governance practices in the cloud. When asked how they feel about transitioning IT service to the cloud, 43% of feds compared it to giving their son the keys to a new convertible. This explains why agencies manage 71% of data themselves, whereas cloud vendors manage just 29%. [Source]

E-Mail

US – OTA Releases Email Unsubscribe Best Practices

More than a decade removed from the implementation of the CAN-SPAM Act, the Online Trust Alliance (OTA) has revealed a set of “user-centric unsubscribe best practices.” In May, the OTA called for public comments seeking input on email marketing unsubscribe best practices “with the goal to move beyond regulatory requirements” by gathering feedback from industry and submitters in North America, the EU, New Zealand and Australia. In addition to benchmarking best practices, the OTA aimed to “raise awareness of the issue and provide actionable advice to the email marketing community” as well as “aid consumers and empower them to control their inbox and enhance their trust and confidence in email.” [OTA] See also: [Toronto: Doug Ford’s campaign emails raise privacy concerns, says municipal lawyer]

US – New Overseas Email Act Receives Mixed Reviews

New legislation is aimed at providing greater legal protection for emails held by U.S. service providers overseas. The Law Enforcement Access To Data Stored Abroad Act (LEADs Act) would mandate digital content contained within an account of a “U.S. person” but stored on a server outside of the U.S. be accessible by law enforcement only with a warrant. The catalyst for the bill is the ongoing legal wranglings about email data stored on Microsoft servers in Ireland. Microsoft General Counsel Brad Smith said, “This bill proposes a more principled legal blueprint for balancing law enforcement needs with consumer privacy rights.” The Center for Democracy & Technology’s Greg Nojeim applauded the bill’s “overall thrust” but said he is concerned it applies only to emails held by a “U.S. person.” [Full Story]

Encryption

WW – Open Source Project Aims to Provide Encryption for Communications

An open source project aimed at providing easy-to-use encryption for email launched on Monday, September 15. The Pretty Easy Privacy (PEP) Project plans to develop the technology to interact with “existing communication tools on different desktop and mobile platforms.” [CSO Online]

WW – Android Phones Will Join iPhones In Offering Default Encryption

The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones. Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically. [Washington Post]

US – New Level of Smartphone Encryption Alarms Law Enforcement

Moves by Apple Inc. and Google Inc. to put some smartphone data out of the reach of police and the courts are raising alarms inside U.S. law-enforcement agencies, current and former officials say.” [The Wall Street Journal]

US – FBI Director Critical of Default Encryption on Mobile Phones

FBI Director James Comey has expressed concerns about Apple’s and Google’s decisions to increase encryption on mobile devices. Comey said that the new features appear to be “something expressly to allow people to place themselves beyond the law.” [ArsTechnica] [ComputerWorld] [NBC News] [The Register]

WW – IOS 8 Prevents Apple from Accessing Device Data

Apple says that the most recent version of its mobile operating system removes the company’s ability to provide law enforcement with data from devices running iOS 8. Encryption used in this iteration of iOS prevents everyone expect the device’s owner from accessing data stored on the device. Apple will still be able to turn over data stored elsewhere, such as in iCloud. However, while Apple may not have the ability to access those data, police could ostensibly retrieve the data from locked devices. [Washington Post] [WIRED]

WW – Apple Will No Longer Unlock iPhones, iPads, Even With Search Warrants

Apple said that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information. [Washington Post]

US – Apple’s “Warrant Canary” Disappears from Transparency Reports

Apple’s “warrant canary” – a statement in its transparency report that the company has never received an order from the US government under the Patriot Act – is conspicuously absent from the company’s two most recent reports. The report for the first six months of 2014 does say that “Apple has not received any orders for bulk data.” [ZDNet] [Expert: Apple’s health push poses big privacy challenges]

EU Developments

EU – National Parliaments Raise the Pressure on Data Protection

Parliamentary delegations from 16 states call on the EU to adopt its legislative package to protect personal data ‘by 2015’. The 16 countries are: Germany, Austria, Belgium, Croatia, France, Greece, Hungary, Lithuania, Luxembourg, the Netherlands, Portugal, the Czech Republic, Romania, the United Kingdom, Slovakia and Sweden. Spokesperson Viviane Loschetter from Luxembourg said: “It is essential that the adoption happen before 2015: the EU must impose its data protection standards on third countries, otherwise they will do it first. I am thinking particularly of the United States.” [World News Report]

EU – French Crime Database Breaches Privacy Rights, EU Court Rules

Storing someone’s private information in a crime database for 20 years when charges against that person have been dropped violates privacy rights, the European Court of Human Rights (ECHR) ruled in a case brought by a French citizen, Francois Xavier Brunet, against the French government. Retaining his data “could be regarded as a disproportionate breach of Mr Brunets right to respect for his private life and was not necessary in a democratic society,” the court ruled. It found this to violate Article 8 of the European Convention on Human Rights which protects the right to respect for private and family life, the court ruled. France was ordered to pay Brunet €3,000 (about US$3,900) in damages. [Source] SEE ALSO: [Proposed anti-terror law in France would erode civil liberties] and [Austria boosts anti-terrorism measures]

EU – Internet Firms Should be Banned from Building Customer Profiles: Germany

German Interior Minister Thomas de Maiziere says Google and other Internet companies should be banned from building profiles of customers using their personal data, according to this media report. “We need additional tools that enable meaningful use of Big Data but we also need to prevent the creation of customer profiles,” Mr. de Maiziere told the Sunday edition of the Frankfurter Allgemeine Zeitung. He said he wanted to ban Internet companies from gathering customer data and then selling those profiles. [Capital.gr]

UK – Data Guide: Direct Marketing Association

Legislation and codes applicable to marketing in the UK include the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the British Code of Advertising, Sales Promotion and Direct Marketing (CAP Code), and the Direct Marketing Association Code; considerations for data acquisition include consent (e.g. obligations to customer at sign-up, channel-specific consent rules, and privacy and data protection notices), cookies, unsubscribe requests, and subject access requests. Considerations for data care include preference services (e.g. TPS, CTPS, MPS, BMPS, and FPS), data sharing, and data security and storage; data usage considerations include privacy impact assessments and anonymisation/pseudonymisation. [Source]

EU – Article 29 Working Party Gives Google Guidelines for Privacy Practices

The Article 29 Working Party (WP29) gave Google a set of guidelines to help the company alter its privacy practices to make them more in line with EU data protection law. The guidelines include a list of measures Google could implement, including disclosing how it collects and shares user data and what other third parties could collect data. Since consolidating its more than 60 privacy policies into one, Google has been under fire from European regulators and has been investigated by six EU countries, including Spain, France, Italy, Germany, the UK and The Netherlands. Google’s Al Verney said the company was open to the regulators’ feedback and future discussions. “We have worked with the different data protection authorities across Europe to explain our privacy policy changes,” he said. [Re/Code]

EU – Article 29 Working Party Release Guidelines on Handling RTBF Requests

The EU’s Article 29 Working Party released a statement addressing “how search engines are complying” with the European Court of Justice ruling on the so-called right to be forgotten, Bloomberg reports. The data protection authorities said they’ve agreed on a “tool box” on a “coordinated and consistent approach” for handling user complaints “resulting from search engines’ refusals to ‘de-list’ complainants from their results.” Additionally, “it was decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria,” according to the statement. The network will provide a “common record of decisions taken on complaints” and “a dashboard to help identify similar cases as well as new or more difficult cases.” [Full Story] [Bloomberg]

EU – Commission Nominees Grilled by MEPs

A “grilling” of nominees for positions in the next European Commission was conducted by Members of the European Parliament (MEPs), including EU Home Affairs Commissioner Cecilia Malmström, who has been nominated to head up trade. Malmström is under fire for her alleged “soft response” to U.S. spying programs. Malmström has rejected claims that she watered down EU data protection reform. “I have always defended the European data protection proposals, internally and externally,” she said, adding, “These are based on misconceptions or on lies.” Additionally, Günther Oettinger, who has been nominated to be Europe’s new “digital economy and society” chief, is being criticized for his response to the recent hack of celebrities’ photos. [EUObserver]

EU – Group Claims EU Home Affairs Chief Worked With U.S. to Undermine Privacy Reform

Digital rights group Access has said that EU Home Affairs Commissioner Cecilia Malmström, who will be stepping down shortly, secretly collaborated with the U.S. Department of Commerce to water down the EU’s draft data protection reform. Access released an email dated January 12, 2012, claiming it proves the Home Affairs department actively worked to undermine the reforms. “If this assessment is correct,” GigaOm’s David Meyer writes, “the revelation may jeopardize Malmström’s confirmation by the European Parliament as the EU’s new trade commissioner.” The trade commissioner role will play a large part in the upcoming EU-U.S. Transatlantic Trade and Investment Partnership. Her confirmation hearing is set for October 22. [GigaOm]

EU – EDPSA Shortlist Announced

The European Commission has announced its shortlist of candidates for the European data protection supervisor (EDPS) and assistant supervisor positions in a letter to the secretaries-general. “Following a selection process carried out in line with its internal selection and recruitment procedures, the commission decided on 16 September 2014 to adopt the following lists of candidates, in alphabetical order,” the letter states. For EDPS, the finalists are Giovanni Buttarelli, Noëlle Lenoir and Yann Padova. For assistant EDPS, the finalists are listed as Cinzia Biondi, Giovanni Buttarelli and Wojciech Wiewiórowski. [Source]

Facts & Stats

US – Study: Average Budget for a Fortune 1000 Privacy Program?

This spring, the IAPP looked at privacy professionals’ roles in organizations worldwide , the influence they had on budget spending and the areas over which they had primary control. What we found was interesting, but we realized that, as a benchmarking device, it was difficult to utilize. As our members come from all manner of industries, and companies of every size and shape and have roles that range from CPO to outside counsel to HR manager, it was hard to pinpoint just what kinds of privacy programs we were looking at. So we focused more tightly, getting a sample that was alike in crucial ways: All of them were privacy leads at large, private, for-profit firms. And we are beginning to unearth some good benchmarking data. [Full Story]

US – A Day in the Life of a Data Mined Kid

Education, like pretty much everything else in our lives these days, is driven by data. Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used. See what a day in the life of a data mined student looks like with our Quantified Student infographic. In most states, the data are fed into a giant database, known as a “statewide longitudinal data system.” Different states collect different elements of personal student data. In the last decade, the federal government has handed states more than $600 million to help them create these databases. A study released last year by Fordham Law professor Joel Reidenberg found that very few school districts explicitly restrict the sale or marketing of student information in contracts with service providers. There are also privacy issues with third-party educational apps, often brought into the classroom by teachers. Those apps may have weak privacy policies, or, in some cases, none at all. Experts say the growth of technology in schools is happening faster than we can keep up with it. The larger concern, he says, is that connecting all those dots can create a profile of a student that can follow him from kindergarten through college. Maybe even into the workforce. It’s the prospect of that permanent data trail, say privacy advocates, that makes it so important that schools, teachers and parent wrestle with student data issues now. [Source] See also: [Canada: Graphic Back to School Tips from Privacy Commissioner] [Why Ed Privacy Laws Should Open the Eyes of All Privacy Pros]

US – Privacy Concerns Arise Over Tech in Classrooms

California lawmakers ban the sale and disclosure of data related to K-12 students. At a New York state elementary school, teachers can use a behavior-monitoring app to compile information on which children have positive attitudes and which act out. In Georgia, some high school cafeterias are using a biometric identification system to let students pay for lunch by scanning the palms of their hands at the checkout line. And across the country, school sports teams are using social media sites for athletes to exchange contact information and game locations. Technology companies are collecting a vast amount of data about students, touching every corner of their educational lives — with few controls on how those details are used. Now California is poised to become the first state to comprehensively restrict how such information is exploited by the growing education technology industry. Lawmakers in the state passed a law last month banning educational sites, apps and cloud services used by schools from selling or disclosing personal information about students from kindergarten through high school; from using the children’s data to market to them; and from compiling dossiers on them. The law is a response to growing parental concern that sensitive information about children — like data about learning disabilities, disciplinary problems or family trauma — might be disseminated and disclosed, potentially hampering college or career prospects. Although other states have enacted limited restrictions on such data, California’s law is the most wide-ranging. California lawmakers did make some concessions to industry. An exception in the legislation, for instance, allows companies to use student data for “legitimate research purposes.” “The bill sets a standard that is applicable to the larger privacy debate,” Steinberg said. “Personal information should only be used for other purposes with the permission of the individual.” [The New York Times]

US – Employee Errors Cause Most Breaches; Malware Breaches Cost the Most

Amidst the latest breach-related announcements, including reports that Home Depot’s recent breach affected 56 million payment cards , Beazley Breach Response Services released its analysis for more than 1,500 data breaches from 2013 and 2014. The results, released at the IAPP Privacy Academy and Cloud Security Alliance Congress, indicate the two most common sources of breaches are unintended disclosure—like misdirected emails and faxes, which account for 31%—and the physical loss of paper records, accounting for 24 percent.[Full Story]

WW – Scientists Support Ethics Guidelines

Findings from a Revolution Analytics survey of 144 data scientists revealed that many believe big data research needs a set of ethical guidelines. Nearly half of those surveyed believed the recent Facebook emotion contagion experiment was unethical. “Statisticians and data scientists have an important role to play in the practices and standards around handling and analyzing data in the world at large,” said Revolution Analytics Chief Community Officer David Smith, “my hope is that web and technology companies will involve data scientists more in analyzing the data that they collect.” [InformationWeek]

Filtering

CN – DuckDuckGo Joins Google in Being Blocked In China

“DuckDuckGo joins Google in being censored and blocked in the nation. Google, after years of being throttled by China’s Great Firewall since the web giant turned off its mainland China servers in 2010, was finally blocked totally in June this year. Only foreign search engines that have Chinese servers, such as Bing and Yahoo, work in China. But, operating under Chinese media laws, both Bing and Yahoo heavily censor their search results – in contrast to Google and DuckDuckGo.” [Tech in Asia]

Finance

US – GAO: CFPB Needs Data Protection Plan

The Consumer Financial Protection Bureau (CFPB) collects financial data on millions of U.S. citizens, but a report released Monday by the Government Accountability Office (GAO) suggests the CFPB “lacks a plan to adequately protect it.” The GAO’s primary privacy concern is the lack of written data collection and security procedures, the report states. “The GAO’s report recognizes that the bureau collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers,” a CFPB spokesman said, adding, “The CFPB agrees with the GAO’s recommendations, which focus primarily on documentation of processes related to data collection.” [National Journal]

US – FTC Submits Comments on Mobile Financial Services to CFPB

A FTC press release has announced the agency has provided comments to the Consumer Financial Protection Bureau (CFPB) on mobile financial services in response to a CFPB request for information on the topic. FTC staff highlighted five consumer protection issues in the mobile financial sphere, including liability for unauthorized charges, unfair billing practices, the privacy of consumers’ financial and personal data, the security of that data and the potential use of personal and financial data by data brokers and other third parties. [FTC Press Release]

FOI

CA – Privacy Watchdog to Probe Handling of Minister’s Expenses

Canada’s Privacy Commissioner, and possibly its Information Commissioner, are investigating a federal department’s handling of Access to Information requests for Alberta Premier Jim Prentice’s expenses from when he was a cabinet minister in Ottawa. In a letter sent to NDP MP Charlie Angus, Claude Beaulé, a senior investigator in Privacy Commissioner Daniel Therrien’s office, confirms a “complaint file has been opened.” The Canadian Taxpayers Federation, meanwhile, said it had complained to Canada’s Information Commissioner about the case, and was told an investigation would be conducted. A CTF official was among those who made the original requests for Mr. Prentice’s expenses, which were initially said to have been destroyed. A spokesperson for the Information Commissioner said earlier this month the office would not confirm if it was conducting an investigation. [Source] See also: [Toronto trustees expense everything from $28 cookies to $4,000 walking tours of Israel – Documents reveal how Toronto District School Board trustees have been spending taxpayer dollars]

CA – Revoking ISIS Passports: Government Refuses to Disclose Numbers

Despite repeated queries from CBC News, Immigration Minister Alexander’s office has refused to reveal just how many passports have been seized since 2002, citing privacy concerns. Instead, they directed questions to the Canada Border Services Agency, which has yet to respond. Outside the Commons, Alexander cited privacy and security concerns for his refusal to release numbers. According to government records, since 2003, just 40 now-former Canadians have had their citizenship formally stripped after it was determined that they had obtained it by false representation or through other fraudulent means. The new provisions, which give the minister the power to revoke citizenship for terrorism-related offences, has not yet been tested. Unlike passport revocation, those numbers — but not the names of the individuals themselves — are available, as such decisions are cabinet orders, and are published on the Privy Council Office website. [CBC News]

Genetics

US – Genetics Testing Company Reverses Plans for Privacy Changes

Personal genetics testing company 23andMe is reversing its plans to make a major change to its privacy settings. It was recently reported that the company was planning to alter its user settings in a way that would give people less control over the results genetic tests would reveal about them. While it used to employ an opt-in system that would allow 23andMe to reveal close DNA relatives, it planned to change that to automatically opt new customers into the system. However, the company has since decided to reverse that decision as well as hire a chief privacy officer as a result of some backlash over the proposed changes. IAPP President and CEO Trevor Hughes discussed the privacy implications of such genetic work, even when consent is given. [VOX]

Health / Medical

US – Developers Seek HIPAA Clarity for Apps

A group of app developers have sent a letter seeking clarity on the Health Insurance Portability and Accountability Act (HIPAA). Startups including CareSync, AirStrip and AngelMD sent a letter to Rep. Tom Marino (R-PA) to express their frustration at the limited online resources to help app developers navigate the complex HIPAA mandate. They said they are struggling to compete with larger vendors that have greater resources to hire lawyers and consultants. Regulators “have not kept pace with the rapid growth of technology that gives users greater access to healthcare providers and more control over their health information,” they wrote. Meanwhile, Fitbit has hired a lobbying firm to work on consumer privacy and healthcare issues a month after Sen. Charles Schumer (D-NY) criticized its data collection practices. [Reuters]

US – GAO Report: Healthcare.gov Has Privacy, Security Vulnerabilities

The main website for the Obama administration’s health insurance exchange, Healthcare.gov, has several privacy and security vulnerabilities, according to a GAO report. The GAO also noted that moves by the Centers for Medicare & Medicaid Services to protect privacy and security have not mitigated vulnerabilities in the management of security and privacy. “Until these weaknesses are addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by Healthcare.gov,” the GAO report states. Reuters reports on Sen. Lamar Alexander’s (R-TN) criticism that the administration launched the site “knowing that the personal information of Americans who bought insurance through the website was not safe.” [Full Story]

US – HHS Releases HIPAA Guidance on Same-Sex Couples

Healthcare Info Security reports the Department of Health and Human Services (HHS) Office for Civil Rights has developed guidance on how the HIPAA Privacy Rule affects married same-sex couples to assist covered entities and business associates (BAs) “in understanding how the 2013 decision by the Supreme Court in United States v. Windsor may affect certain of their HIPAA Privacy Rule obligations.” The Windsor ruling requires covered entities and certain BAs “consider lawfully married same-sex spouses to have the same rights under the HIPAA Privacy Rule as opposite-sex spouses,” the report states. The guidance states “spouses include … individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.” [Source] See also: [County health department takes major tech step forward on privacy] See also: [Rob Ford Tumour Diagnosis: Do Politicians Have A Right To Medical Privacy?]

WW – Merck Finds Patients Willing to Sell Access to Data

A survey conducted by Merck, and outlined in a paper in The American Journal of Accountable Care, judged willingness of patients to have their tumors sequenced and the data studied in exchange for payment. Sixty-three of the 64 patients surveyed were willing to share their data as long as they retained data ownership and only shared the data with the entity that paid for it. “While the model would still involve significant outlay,” the report notes, “the authors think it would be cheaper than assay development.” Meanwhile, the California Supreme Court has agreed to hear a case that would determine whether healthcare regulators violated the state Constitution’s privacy clause when they accessed a local doctor’s prescribing records as part of an investigation into claims of unprofessional conduct.” [FierceBiotechIT]

US – Hospital CIO Shares How They Fought Attacks from Anonymous

Boston Children’s Hospital senior VP for information services and CIO Dr. Daniel J. Nigrin, shares how his organization defended itself against a series of attacks launched earlier this year. The hospital received a warning about the attacks several weeks before they began. The hospital incident response team prepared for the attacks along with the IT department. They managed to fend off a series of distributed denial-of-service (DDoS) attacks for a while, but when those reached a certain level of intensity – 27 Gbps – the hospital called in third-party help. The attacks affected the hospital’s external websites and networks. When Nigrin saw what was happening, he shuttered all the websites and took down email service. Employees communicated through a secure messaging application. [CSO Online]

WW – Pilot Program Allows Patients Choices on Which Data to Share With Doctors

Five behavioral health patients in Maryland have volunteered to participate in a federally organized five-month pilot project in which they pick and choose what information they want to share with their primary healthcare physicians via software called Consent2Share, a practice one public health official says is indicative of a more general paradigm shift, Modern Healthcare reports. The pilot is one of a series hosted by the Office of the National Coordinator for Health Information Technology in an initiative called Data Segmentation for Privacy. Meanwhile, a Canadian start-up plans to offer personal health assessments based on wearable sensor data and public health data sets. [Modern Healthcare]

Horror Stories

US – Home Depot Breach Put 56 Million Payment Cards at Risk

Home Depot announced that a breach at its U.S. and Canadian stores over a six-month period this year may have put an estimated 56 million payment cards at risk.” “That would make it the largest compromise of debit and credit cards in the string of cyberattacks that have hit retailers over the past year.” [Washington Post] [Analysis: Home Depot Breach Details]

US – Ex-Employees Say Home Depot Ignored Early Warnings; Class-Action Filed

Former members of Home Depot’s cybersecurity team have said that the high risk of cyber-attack was evident as far back as 2008. In interviews after the company experienced the largest retail data breach ever, the former employees said outdated software was being used to protect its network. And, a computer engineer hired to oversee security has been sentenced to jail for “deliberately disabling computers at the company where he previously worked,” the report states. Meanwhile, Toronto law firm McPhadden Samac Tuovi LLP has filed a class-action against Home Depot of Canada and its American parent, The Home Depot, Inc., in the Ontario Superior Court of Justice. [New York Times] See also: [Steven Lozanski v. Home Depot Inc. – Court File #CV-14-51262400CP – Ontario Superior Court of Justice]

US – Following Breach, Report Shows Home Depot Has $105 Million in Coverage

Following news of a data breach last week, Business Insurance reports Home Depot has a total of $105 million in cyber coverage. American International Group provides $10 million of primary coverage, followed by Zurich Insurance Group providing $20 million and Liberty Mutual Insurance providing $15 million, among others. Home Depot is likely to point to the Supreme Court’s Clapper ruling to fend off class-actions, but attorneys say plaintiffs are “quickly learning that they can bypass the defendant-friendly 2013 decision by proving that their data has been misused or that they relied on false security pledges.” [Business Insurance]

WW – TripAdvisor Customer Data Compromised

Viator, a website recently acquired by TripAdvisor, has learned that a breach of a payment card service provider’s system exposed customer data. The breach affects approximately 1.4 million customers. Viator learned of the breach after investigators looked into fraudulent payment card transactions that led back to the website. [NextGov] [The Register]

US – Jimmy John’s Confirms Data Breach

US sandwich restaurant chain Jimmy John’s has acknowledged that a payment vendor’s data breach compromised customer payment card information. The incident affects transactions at 216 stores between June 16 and September 5, 2014. [Krebs] [DarkReading] [Darkreading]

JP – Japan Airlines Data Breach

Japan Airlines (JAL) has confirmed that a cyber attack compromised personal information of as many as 750,000 customers. The incident involved unauthorized access to a JAL database from an external server.

The compromised data include names, addresses, and workplaces. The malware appears to have infected 23 computers and did not affect financial information. The attack is believed to have gained purchase through a phishing attack and may have remained undetected for over a month. [SC Magazine] [ZDNet]

WW – Breach Roundup

Data loss incidents and breach headlines include a lawsuit against six Mississippi hospitals following a breach of sensitive patient information are causing experts to weigh in with tips on why breaches happen, best practices in the event of a breach and complying with data breach laws. Mondaq reports on Florida’s Information Protection Act of 2014, which amended Florida’s breach notification statute, while TechTarget offers recommendations for “best practices” in reporting breaches. CSO examines “why retailers get hacked,” quoting one expert’s suggestion that retailers and their marketing firms must recognize some information is “just too dangerous to have.” And research from Protiviti suggests, “Businesses are failing to maintain proper security and are still not managing data properly, when looking at the big picture.” [ITProPortal]

Identity Issues

CA – Ping Identity Scoops $35m to Authenticate Everywhere

Identity provider Ping Identity has secured $35m in funding, bringing the total funding for the company to $110m. The market for identity assurance is booming as the more customers carry out transactions online. Third party vendors such as Ping Identity are in competition with existing vendors such as Facebook and Google who are also developing in this space. Forbes predicts “it will be a third party approach that straddles all the different vendors that will win”. [Forbes]

Internet / WWW

WW – Yahoo Slams New ‘Digital Will’ Law; Users Have Privacy When They Die

What should happen to your personal digital communications—emails, chats, photos and the like—after you die? Should they be treated like physical letters for the purposes of a will? Yahoo doesn’t think so. The company is criticizing new legislation giving executors charged with carrying out the instructions in a person’s will broad access to their online accounts. The legislation aims to tackle the sensitive question of what to do when someone’s online accounts on sites like Facebook, Google or Yahoo outlive them. This past summer, Delaware signed into law the Fiduciary Access to Digital Assets and Digital Accounts Act. It was modeled after legislation approved earlier by the Uniform Law Commission, a nonprofit group that drafts and lobbies for new state laws. In Delaware, the measure removes some of the hurdles that an estate attorney or other fiduciary would otherwise have to go through to gain broad access to the deceased’s online accounts. “A fiduciary with authority over digital assets or digital accounts of an account holder under this chapter shall have the same access as the account holder,” the law states. That expanded access violates the initial agreement users entered into when they started using Yahoo’s services, the company said Monday in a blog post. “When an individual signs up for a Yahoo account, they agree to our terms of service, which outlines that neither their account nor the contents of their private communications are transferrable at the time of death,” wrote Bill Ashworth, Yahoo’s senior legal director of public policy. Delete, not transfer. Yahoo’s terms of service say it may delete an account and all of the account data, if it’s shown a copy of the person’s death certificate. [Source]

US – What Impact Will “Cyborgization” Have?

A new paper from the Brookings Institution explores the privacy impacts of a trend of “cyborgization”—using cell phones and wearable devices as an extension of ourselves. “Should we recognize our increasing cyborgization as more than just a metaphor, given the legal and policy implications both of doing so and of failing to do so?” Benjamin Wittes and Jane Chong write in the paper. The trend raises questions about privacy, access, discrimination and other issues, the report states, noting, “This cyborgization of the populace, the authors say, could have immediate and significant effects on the law especially around surveillance.” [FierceGovernmentIT]

Law Enforcement

CA – Toronto Police to Wear Body Cameras in Test Project

By the end of the year, 100 Toronto police officers are expected to be sporting body-worn cameras as the force launches a one-year pilot project testing the increasingly popular — and at times, controversial — policing tool. Major details are still being hammered out, including where the cameras will be worn, when the cameras will record, and what the final price tag will be, but the Toronto Police Service plans to equip officers in four areas of the city with cameras by mid-December, according to a Request for Proposals seeking a supplier for the cameras and software. The pilot project comes after numerous reports and recommendations suggesting that the cameras, usually affixed to an officer’s lapel, glasses or police cap, could improve police accountability and reduce the use of force by officers. But the president of the Toronto Police Association, Mike McCormack, says numerous concerns will need to addressed before rank-and-file officers get fully on board. “We want to see sound policies around not only the implementation, but when are they going to be used, what about privacy rights for citizens, what about privacy rights for police officers, and what are we trying to capture with these lapel cameras?” McCormack said. The 2012 Police and Community Engagement review (PACER) was the first Toronto report to recommend that police adopt body-worn cameras, a recommendation echoed in this summer’s review of police interactions with people in mental crisis, penned by retired Supreme Court justice Frank Iacobucci. In his report, Iacobucci cited research indicating the cameras decrease complaints against police, “in part because police have an additional incentive to treat people respectfully, and also because individuals are deterred from bringing false allegations against police.” [Source]

US – New Radar Gun to Help Police Detect Texting Drivers

Police may soon have a new weapon in their efforts to prevent drivers from texting while on the road. A Virginia company is working on a device that detects the radio signals sent out from a vehicle when someone inside is using a cell phone. The technology is able to differentiate text messaging from phone calls. Virginia law allows adults to talk on a cellphone while driving, but not send text messages. The device is not yet ready for production. It still needs legislative approval and a commitment from law enforcement. [CBS-DC]

Location

AU – Information Commissioner Updates Guide for Mobile App Developers

New content has been added to the guide for mobile application developers that discusses the preparation, implementation and regular updates to a data breach policy and response plan; to aid app developers in creating a breach plan additional information regarding data breaches can be found in the Guide to the Information Security and a Guide on Data Breach Notification. [Source]

Offshore

NZ – Snowden Says New Zealand Lied About Mass Surveillance Activities

Snowden wrote a thing for The Intercept ahead of New Zealand’s election alleging the country is lying about its use of and role in developing mass surveillance technology. Meanwhile, a new report says that Snowden’s leaks haven’t really made life easier for terrorists, despite frequent claims to the contrary.

Online Privacy

WW – Apple CEO Tim Cook’s Open Letter on Privacy

Apple launches a new web site making privacy a key part of its brand values. An ‘Open Letter’ from Apple CEO Tim Cook says: “We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us. And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience.” It goes on: “Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.” It’s really hotting up now! [Apple]

WW – Facebook Testing Update Option with Expiration Dates

Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek]

WW – Facebook Takes Vault of Consumer Data to the Masses

Using the vast amount of data it has gathered from its 1.3 billion users, Facebook has made itself the number-two digital advertising platform in the world. Now, it’s going to take its targeted ads to the rest of the Internet, rolling out its ad platform, Atlas, which will allow marketers to use the social networking site’s detailed knowledge of users to target ads to users on other websites and mobile apps. Meanwhile, U.S. Federal Trade Commission Chief Technologist Latanya Sweeney writes in a new blog post on the ramifications of the decisions ad networks are making. [The New York Times] See also: [The ‘hot’ new thing on Tinder: Posting photos of your resume and bank account instead of your face]

US – Lawyers Seeking Telematics Data

Lawyers are turning increased attention to the data gathered by vehicle telematics systems, seeing “the data as a puzzle piece in building court cases.” The report suggests this attention indicates “privacy concerns raised about telematics data won’t go away soon. At the least, the industry’s quest to be closer to consumers through telematics has created new responsibilities involving data management.” Don Slavik, a product liability lawyer, said, “It introduces some questions of privacy issues that people aren’t aware of … We’ve just learned about the large volume of data going through systems. Not just one or 10 or 20 pieces of data, but thousands of pieces of data that are reported.” [Automobile News]

Privacy (US)

US – Study: What “Reasonable” Privacy and Security Means to the FTC

A new study from the Westin Research Center looks at the “reasonable” components of a privacy and data security program as interpreted from more than 40 FTC enforcement actions. Part of the IAPP’s ongoing FTC Casebook project, this report by Westin Fellow Patricia Bailin is meant to help shed light on what an acceptable level of privacy and data security could be, even as companies litigate the issue with the FTC in federal courts. [Source] See also: [Artificial Intelligence Is Doomed if We Don’t Control Our Data]

US – Rep. Wants Hearing to Look at Health Breach

Rep. Elijah Cummings (D-MD) has sent a letter to Rep. Darrell Issa (R-CA), chairman of the House Committee on Oversight and Government Reform, requesting that a bipartisan hearing be held to look at the causes and effects of a breach at Community Health Systems reported last month. Cummings said cybersecurity threats are an ongoing problem and an investigation of the breach would help the committee “learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” [FierceHealthIT]

US – Justice Sotomayor Worried About Drones

Speaking to students and faculty at the Oklahoma City University’s law school, Supreme Court Justice Sonia Sotomayor said we are seeing “frightening” changes in surveillance technology and that citizens should get more engaged in the privacy debate. She said drone technology, for example, should “stimulate us to think about what is it that we cherish in privacy and how far we want to protect it and from whom,” adding, “people think that it should be protected just against government intrusion, but I don’t like the fact that someone I don’t know … can pick up, if they’re a private citizen, one of these drones and fly it over my property.” [The Wall Street Journal]

US – TRUSTe Announces DPM Platform

TRUSTe has announced the launch of its comprehensive end-to-end data privacy management solution, the TRUSTe Data Privacy Management (DPM) Platform, which includes automated capabilities to assess and manage privacy risks, implement compliance controls and ensure ongoing monitoring. TRUSTe CEO Chris Babel notes, “Developed in consultation with our extensive enterprise customer-base, the new TRUSTe DPM Platform puts privacy professionals in the driver seat giving them full control of data privacy management, automating processes and increasing productivity as they manage their global privacy initiatives from a single dashboard.” [Press Release]

US – Judge Dismisses Neiman Marcus Class-Action

An Illinois federal judge has thrown out a proposed class-action lawsuit alleging Neiman Marcus Group negligently failed to protect 350,000 customers’ credit card information prior to a 2013 hack into the department store’s servers. U.S. District Judge James B. Zagel ruled the plaintiffs lacked standing under Article III, stating he “wasn’t convinced unauthorized credit card charges for which the plaintiffs would be reimbursed qualify as concrete injuries warranting Article III standing,” the report states. [Law360]

US – Facebook Wins Appeal;

Facebook’s appeal against law enforcement’s collection of bulk user data has been accepted. The New York State Supreme Court ruled against a government request to dismiss the appeal and accepted briefs in support of Facebook from groups including Google and Microsoft. “Facebook is asking for the return or destruction of the data and also wants a ruling on whether the warrants are in violation of the Fourth Amendment,” the report states, and is also asking the court to determine whether the warrants’ gag provisions violated the Stored Communications Act. [PCWorld]

US – Courts Aren’t Recognizing Harm, But Breach Cases Keep Coming

George Washington University Law School’s Daniel Solove, founder of TeachPrivacy, notes in a blog that the law has not been kind to plaintiffs in data breaches. “The fact is,” he writes, courts “don’t recognize harm. Generally, we make those who cause wide-scale harm pay for it … But when a company loses data about a lot of people … the courts frequently say ‘no harm, no foul.’ Yet the lawsuits keep coming. Why?” Solove highlights a paper, Empirical Analysis of Data Breach Litigation, outlining some conclusions it makes, such as “data breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal.” Solove writes, “This research study shows that parties are bargaining around the legal system to make it go away.” [Source]

US – As Ad Industry Capitalizes on Tracking, One Scientist Looks at the Effects

The Economist reports on surveillance as the advertising industry’s new business model. Internet ads now account for around a quarter of the $500 billion global advertising business, and companies are able to capitalize on data they collect from users based on what sites they visit and what they click on. But users should be able to find out if they’re being tracked and what information is being stored on them and be able to stop it if they wish, the report states. Meanwhile, computer scientist Roxana Geambasu of Columbia University has recently developed software which uses a series of “shadow accounts” to see how ads change for a user when certain phrases are used. [Full Story]

US – Privacy Pathways Training Program Launched

The Privacy Pathways program, piloted through partnership with schools like the University of Maine School of Law and the High Tech Law Institute at Santa Clara Law, aims to give students access to privacy training and discounts on exams, publication opportunities and connections to the IAPP member community through internships and externships. At this week’s Privacy Academy and CSA Congress, the IAPP announced the program is expanding rapidly, with the addition of the Privacy and Technology Project of the Institute for Innovation Law at UC Hastings College of the Law in San Francisco, CA, and the University of Washington. [Full Story]

US – Yelp Agrees to $450,000 Settlement with FTC

Yelp has agreed to settle charges brought against it by the FTC and pay $450,000 for accepting registrations from children under the age of 13 in its app. In 2009, the company introduced a registration feature in its app that allowed users to create new accounts “but failed to implement a working age-screen mechanism in the new in-app registration feature,” the report states. In turn, data was collected about children through the app. Yelp wrote about the settlement in a blog post and has agreed to destroy the personal information of children collected by the bug within 30 days of the service of the order. [PCWorld] See also: [StubHub Case Rejected: a California judge rejected a proposed $2 million settlement between StubHub and a class of 69,000 customers] and also: [Google Class-Action Dropped: a group of Android users who brought a class-action against Google have dropped their case] and also [The EU will approve Facebook’s $19 billion offer for messaging service WhatsApp]

US – Hoffman Named 2014 IAPP Privacy Vanguard, Calls on Privacy Pros To Promote Ethical Use of Data

Computing has become so sophisticated that, if used correctly, it could solve many of the very real problems we face in areas like healthcare, education and renewable resources. But progress can only be made if the data we collect and compute is used correctly and ethically, and privacy professionals have an obligation to fight for that. That was the call-to-action David Hoffman made from the stage at the IAPP’s Privacy Academy in San Jose, CA, just after he accepted the 2014 IAPP Privacy Vanguard Award. “The public needs to understand that our organizations can be trusted,” Hoffman said. [Full Story]

US – Microsoft Privacy, Security Work to Become Part of Cloud, Legal Groups

Microsoft has announced its Trustworthy Computing group will no longer be a stand-alone entity, with the unit’s work on privacy, security and related issues being folded into Microsoft’s Cloud & Enterprise Division and Legal & Corporate Affairs, GeekWire reports. Microsoft indicated one of the goals “is to integrate the Trustworthy Computing work more tightly into Microsoft’s engineering teams,” the report states, noting a portion of the group will report to Microsoft General Counsel Brad Smith and another to the Cloud & Enterprise Division’s Scott Guthrie. [Source]

WW – Jepsen Questions Apple Watch; Apple Lobbies Congress on Health Privacy

Connecticut Attorney General George Jepsen has sent a letter to Apple requesting a meeting to discuss his concerns about how the company will collect, store and process personal health information generated by its forthcoming Apple Watch. Jepsen noted he was not accusing Apple of any violations but attempting to open a dialogue. Meanwhile, Apple has sent a cadre of executives to Capitol Hill to address the emerging privacy and security concerns a week after it unveiled a slew of new products and services, Politico reports. Apple’s chief technology officer and health product manager have briefed the House Energy and Commerce Committee to “provide an overview of Apple’s new offerings, demonstrate the new products and discuss how Apple sees this market developing.” [PC World]

US – Apple Makes Bold Privacy Statement

With a letter from CEO Tim Cook posted at the top, Apple released today a new privacy notice , which includes “a detailed look at how we protect your privacy.” Perhaps most notably, Apple is committing to technology that will make it impossible for the company to read the contents of iPhones or iPads upon government request. Further, declared Cook, “I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.” In another sign of the company’s commitment to privacy as a business driver, Apple, along with Box, announced via TRUSTe that it is Asia-Pacific Economic Cooperation-certified. [Full Story]

US – Mining WiFi Data: Retail Privacy Pitfalls

To compete with large online sites, more brick-and-mortar retail outlets are exploring in-store tracking. This feature looks into the practice to see whether retailers are going too far. “Two years ago, nobody wanted to put WiFi in their stores to give customers a way to window shop,” said General Datatech Senior Wireless Engineer Ryan Adzima. “Now they have a massive incentive because they’ll see you going to Amazon or other competitors; they’ll see your buying history, and they can target you more specifically and draw you away from competitors.” [InformationWeek]

Privacy Enhancing Technologies (PETs)

WW – Privacy Technology Everyone Can Use Would Make Us All More Secure

Cory Doctorow argues privacy-enhancing technology has long been unnecessarily difficult to use for the common person. In doing so, he announced SimplySecure.org, a nonprofit that he’s advising and which “collects together some very bright usability and cryptography experts with the aim of revamping the user interface of the Internet’s favorite privacy tools.” He also reaches out to those who haven’t shown an interest in privacy until now: “If you were lucky enough to be born with the unearned privilege of having ‘nothing to hide,’ then you owe it to your children, brothers, sisters, parents and friends who don’t have your good fortune to help provide cover for them.” [The Guardian]

WW – Nokia Position Paper Highlights the “Privacy Engineer”

Privacy by Design and legislative developments in privacy are valid, says a paper from Nokia entitled “Privacy Engineering and Assurance“; however, it notes, “they do not answer the question of ‘How do you do it, in practice?’“ The Nokia paper aims to foster the birth of a new professional—the privacy engineer—and solve the problem of “how” by developing a software engineering discipline that includes privacy engineering and privacy assurance to “take Privacy by Design from a subjective set of seven essential principles into a framework for implementation of privacy in the product creation process.” [Source] See also: [Creating Standards for Privacy Engineers]

WW – Ello Promises Privacy;

Privacy-focused alternatives to popular services continue to emerge, including, this week, the introduction of Ello, a social networking alternative to Facebook that claims to respect user privacy by not selling or sharing data with third parties. “You are not a product,” the invite-only social network wrote in its manifesto. The site does use cookies, both on its site and in emails; Google Analytics to generate aggregated user data, and honors Do-Not-Track settings. [CSO]

RFID

US – Missouri RFID Ban Highlights Nation’s Privacy Fears

Student privacy advocates are hailing a new law in Missouri that bans school districts from tracking students using radio frequency technology. Last week, state lawmakers overrode the governor’s veto of the bill. The controversial technology uses radio waves emitted from tiny batteries, often embedded in a card or badge, to track the location of students. The new law reflects growing national concern about electronic privacy in the wake of reports of massive government surveillance efforts through the National Security Agency. It also shows a growing interest in student privacy as parents are increasingly questioning the kinds of student records that schools maintain electronically. [Source]

Security

WW – OWASP Releases Its First Top 10 Privacy Risks

Just seven months after the project’s start , the Open Web Application Security Project’s Top 10 Privacy Risks Project has released its first list of findings. Headed up by Florian Stahl and Stefan Burgmair, the project, quite simply, aims to document the top 10 privacy risks in web applications, consulting with volunteers and experts from across the globe. “The result,” reads the project’s description, “is a list covering technological and organizational aspects focusing on real-life risks and not only legal issues.” The top three risks include web application vulnerabilities, operator-sided data leakage and insufficient data breach response. The project and its results are free to use, and it is licensed under the GNU GPL v3 license. [Privacy Perspectives]

EU – European Network and Information Security Agency Annual Incident Reports 2013: Analysis

Security incidents in the electronic communications sector across the European Union, are classified as follows – natural phenomena (earthquakes, floods, pandemic diseases, etc.) – 38%, human errors (improper use of tools or errors in execution of procedures) – 31%, malicious attacks (a deliberate attack by an internal or external agent) – 4%, and system failures (hardware and software failures) – 27%. The most prominent causes of data security incidents include the following – software bugs, hardware failure, software misconfiguration, human error, and hardware misconfiguration; the assets most affected include the following – base stations and controllers, switches, mobile switching, core networks, and power supply systems. [Report]

WW – NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

There’s a new story about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties. The article actually talks about several government programs. Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. [Schneier on Security – Crpto-Gram Newsletter] SEE ALSO: [Why it’s a bad idea to sell your child’s cheap tablet on eBay]

US – NIST Releases Draft Guidelines for 3-D Printer Security

The US National Institute of Standards and Technology (NIST) has released draft guidelines for 3-D printer security. The guidelines note that attackers who manage to breach the printers’ security could not only steal sensitive plans but also pose physical threats to the plants and employees. The specialized printers, which sometimes use metal powders to “print” objects, could explode. The machines’ commands could also be altered, undermining the printed objects’ integrity. NIST will accept comments on the document through October 17, 2014. [NextGov] [NIST]

US – DHS Program Will Bring Technologies from Lab to Practice

The US Department of Homeland Security’s (DHS’s) Transition to Practice (TTP) program aims to bring cyber security technology developed at federal laboratories “into the real world.” [HSToday]

US – NIST Creates Digital Evidence Subcommittee

The National Institute of Standards and Technology (NIST) has established a new digital evidence/forensic science subcommittee in its Organization of Scientific Area Committees (OSAC). The committee will “identify and establish national standards and guidelines for forensic science practitioners.” [NIST]

WW—Bash Shellshock Flaw

A serious flaw in a software component called Bash is said to be more serious that the Heartbleed vulnerability that was disclosed earlier this year. The flaw, which is being called Shellshock, can be exploited to remotely take control of vulnerable systems. It affects an estimated 500 million UNIX and LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a warning and is urging admins to patch the flaw. Others have expressed concern that the patches that have been made available are incomplete. [BBC] [CSMonitor] [Krebs] [Ars Technica] [US CERT] –Shellshock Flaw is Being Actively Exploited (September 25, 2014) There are reports that attackers have already begun exploiting this flaw to infect vulnerable servers around the world. [eWeek] [ZDNet] [WIRED and [NYT: Shellshock May Further Marginalize Open Source Software]]

Smart Cards

US – US Will Adopt Chip-and-PIN

The idea of storing credit card account information on a magnetic stripe, while innovative in 1960 when it was first conceived, is now vulnerable to theft, particularly because the data encoded on the magnetic stripes are static. The US is finally following the rest of the world in moving to the more secure chip-and-PIN, or EMV technology (so-called because it was started by Europay, MasterCard, and Visa). [WIRED]

Surveillance

CA – Ottawa Admits to Tracking Hundreds of Protests

Ottawa has kept tabs on hundreds of demonstrations across Canada and around the world over the last eight years, from peaceful protests to public university lectures to riots. Newly released documents show about 800 public demonstrations and events were observed and reported on by government departments and law enforcement agencies since 2006. Reports were collected centrally by the Government Operations Centre, an agency tasked with preparing the federal government’s response to emergencies. Some were collected by Foreign Affairs on international protests, but the majority focused on domestic events – especially First Nations protests and environmental activism. Some appear to be media reports detailing the events, but others were prepared by Canada’s spy agency, CSIS, and the RCMP. The Conservative government has defended the practice, saying even peaceful protests can go bad and the public’s safety must be protected. But the documents, tabled in Parliament, reveal the Government Operations Centre was interested in much more than protests. [The Toronto Star]

US – NSA Chief Dismisses Scandal’s Impact; Agency ‘Fully Compliant’ With Law

Whistleblower Edward Snowden’s revelations about the NSA surveillance programs have not negatively affected its relationship with foreign counterparts, said NSA Director Adm. Michael Rogers, adding the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency. Rogers, who has been at the agency’s helm for only five months, said he is not dwelling on the past, but he did defend the agency’s controversial operations. “The reviews to date have all come to the conclusion that the National Security Agency has been fully compliant with the law and, secondly, that in the execution of those lawful operations, there is no finding that the NSA has attempted to systematically undermine that law or failed in its duties to protect the information that it collects,” he said. Moving forward, the NSA should aim for “translucency” because true “transparency” would undermine surveillance efforts entirely, he said. “The people on the other side of the glass can see the broad movement of the shapes and have a comfort level with that,” said Hayden. [FierceGovernementIT]

US – NSA Director: Snowden Hasn’t Damaged Our Relationships with Counterparts

NSA Director Adm. Michael Rogers said the Edward Snowden revelations have not negatively affected the NSA’s relationship with its counterparts, pointing out “the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency.” Rogers has been leading the agency for the last five months. Meanwhile, a new chat program designed by a middle-school dropout, now aged 22 and a self-taught coder, offers anonymity and encryption and even resolves the issue of metadata . A new version of the program, called Ricochet, is planned for release in November. [FierceGovernmetn IT]

US – Border Patrol to Test Body Cameras to Curb Use of Force

The U.S. Border Patrol has purchased body cameras and will begin testing them this year at its training academy, two people briefed on the move said Wednesday, as new leadership moves to blunt criticism about agents’ use of force. R. Gil Kerlikowske, who has led the Border Patrol’s parent agency since March, announced the plans to a small group of activists who have pressed for cameras, according to a person who attended the briefing and spoke on condition of anonymity because the discussion was intended to be private. Testing will occur at the Border Patrol academy in Artesia, New Mexico. [CBC News]

WW – Making an Art of Surveillance

An exhibit set to feature hacked photos of naked celebrities is raising eyebrows, blurring lines between our online and offline worlds. “Celebgate has brought many privacy issues to the forefront,” noting that while XVALA’s exhibit may seem to “demonstrate that noncelebrities simply have much less to fear,” past artistic installations have shown that random images of “unremarkable people” have also raised concerns, sometimes even leading to lawsuits. “Like other art before it, this leading edge of expression exploring surveillance, privacy and anonymity will challenge and make us face the realities we are creating—at least as long as these exhibits are permitted for public consumption’” [Source]

Telecom / TV

US – ‘Interceptor’ Cellphone Towers Found Near White House, Senate

Mysterious “interceptor” cellphone towers that can listen in someone’s phone call despite not being part of any phone networks have turned up near the White House and Senate. A company that specializes in selling secure mobile phones discovered the existence of several of the towers in and around the nation’s capitol. “It’s highly unlikely that federal law enforcement would be using mobile interceptors near the Senate,” ESD America CEO Les Goldsmith said. The towers are also capable of loading spyware onto a mobile device before passing off a victim’s call to a legitimate network. “My suspicion is that it is a foreign entity,” he told Venture Beat. [The Washington Times]

CA – The Covert Cellphone Tracking Tech the RCMP and CSIS Won’t Talk About

Law enforcement and intelligence agencies in Canada won’t say whether they use covert tools called International Mobile Subscriber Identity (IMSI) catchers to track the location of mobile phones and devices – even as the extent of their use by U.S. government agencies is raising serious questions among civil libertarians. The devices colloquially known as Stingrays – which is the trademarked name for a widely used model sold by Florida-based Harris Corp. – commonly work by masquerading as a legitimate cellular communications tower and tricking nearby devices into connecting and sharing your phone’s IMSI, typically without the knowledge of device owners. Once connected, an operator can collect identifying information on all connected devices in a geographic area, or home in on the location of a specific device. In certain circumstances, it can even intercept phone calls and text messages. [The Globe and Mail] SEE ALSO: [Documents Suggest Maker of Controversial Surveillance Tool Misled the FCC] AND [The ACLU wrote a letter to the FCC asking for an investigation]

CA – Netflix Refuses CRTC Demand for Confidential Data

Netflix refused to heed a demand from Canada’s federal broadcast regulator to hand over confidential customer data despite threats its exemption from regulation would be revoked if the video streaming service did not comply. “While Netflix has responded to a number of the CRTC’s requests, we are not in a position to produce the confidential and competitively sensitive information ordered by the commission due to ongoing confidentiality concerns,” said a Netflix spokesperson. “While the orders by the CRTC are not applicable to us under Canadian broadcasting law, we are always prepared to work constructively with the Commission.” [Source] See also: [Mining WiFi Data: Retail Privacy Pitfalls]

US – FTC Files Comments with FCC on Promoting Privacy in Broadband

In a comment filed Friday with the FCC, the FTC provided information on its enforcement, policy and education work as it relates to consumer privacy and data security as applied to residential broadband Internet services, according to an FTC press release. In its comments, the FTC highlights its efforts to promote consumer privacy and data security “through rigorous enforcement of the FTC Act, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.” It also describes its privacy report, Protecting Consumer Privacy in an Era of Rapid Change, and its numerous workshops and seminars on related topics. [Source]

US – Apple’s CEO Throws Major Shade at Tech’s Ad-Based Business Model

Apple announced new privacy features and a push to educate consumers on how the company uses their data in an open letter from chief executive Tim Cook. In the letter, Cook also took some not so subtle digs at competitors who mine user data for advertising purposes: “We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.” [Washington Post]

US – FPF Gives iOS8 a Thumbs-Up; Apple Faces Criticism for iTunes Gift

The Future of Privacy Forum has reviewed Apple’s iOS8, concluding its new “prompting with purpose” disclosures, refined location settings and strict requirements for apps “will present greater transparency, protection and control over privacy” for users. Meanwhile, as part of its launch of the iPhone6, Apple featured a gift to users: Irish rock band U2’s new album. A free download was sent to users’ iTunes music collection, but some users weren’t so excited, citing Apple had gained access to their accounts without asking permission first. [Source]

US Government Programs

US – CFPB to Tighten Controls After Government Audit Cites Problems

Responding to government auditors, the Consumer Financial Protection Bureau (CFPB) is formalizing a comprehensive privacy plan addressing how the agency will assess and manage privacy risks and monitor and audit privacy controls. The CFPB also will develop role-based privacy training for its staff and review its remedial action plans and information-security risk management process “to further refine oversight of service providers,” according to CFPB Director Richard Cordray. The changes come after a Government Accountability Office audit issued this week stated the CFPB “lacks a plan to adequately protect” the consumer financial data it collects. [GovInfoSecurity]

US – GAO Says TSA Needs to Strengthen Privacy Oversight

The Government Accountability Office (GAO) has said the Transportation Security Administration (TSA) has made positive strides implementing its Secure Flight program but still needs to improve oversight of its privacy mechanisms, including staff training. “Because the program relies on sensitive information, including personally identifiable information from the approximately two million people Secure Flight screens each day, privacy incidents and inappropriate disclosures could have significant impacts on the traveling public,” the GAO audit states. Though the TSA has implemented privacy measures, more could be done, including job-specific privacy training in line with Office of Management and Budget privacy training requirements, the report states. [HS Today]

US – FISA Court Renews NSA Metadata Program

The Foreign Intelligence Surveillance Court has reauthorized the NSA program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]

US – Appeals Court Says NCIS Scan of Civilian Computers Went Too Far

A US federal appeals court in California ruled that the Naval Criminal Investigative Service (NCIS) overstepped its authority when an NCIS agent used a tool to search for hashed child pornography images on the computers of all Washington state computer users running Gnutella file-sharing software. Judge Marsha Berzon wrote that the “surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance.” [Ars Technica]

US – Air Force Seeking Improved Network Mapping and Analysis Technology

According to a presolicitation notice, the Air Force is seeking situational awareness technologies to help it see what is happening on its networks. The program, called Mission Awareness for Mission Assurance (MAMA) “will investigate the automated assessment of mission execution by analyzing network traffic flows” so personnel can “prioritize essential functions, map out cyber assets, and assess and mitigate vulnerabilities.” The Air Force wants to be able to carry out core missions in the face of attacks. [Defense Systems] [Presolicitation Notice]

US – Connect.gov Password Consolidation to be Tested Next Month

Starting as soon as October 2014, Connect.gov, a system that will eliminate the need for users to remember at least some of their sets of access credentials, will “launch with a few key anchor agencies that will be testing it out in the first round.” More agencies are expected to join within the next two years. [NextGov]

US Legislation

US – As Laws Are Slated for the Books, Tech Worries Persist

Student privacy bills are headed to the books in 20 states. According to the Data Quality Campaign, 110 bills on student data privacy were introduced in 36 states this session, with 24 being signed into law. They addressed biometric, social and personal information. Mmeanwhile, the lack of restrictions on the “unprecedented student data amassed by education technology companies,” and the tensions that continue to build as the federal government encourages the use of such technology while parents worry about who gets that information and what’s done with it. A story in The New York Times story reports on similar concerns. [Government Technology]

US – Tech Companies Urge Lawmakers to Move Forward with Bill to Amend ECPA

Technology companies are calling on US legislators to pass Email Privacy Act, a bill that would update the 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement authorities to search, without a warrant, communications that have been stored in what we now call the Cloud for more than 180 days. The bill’s supporters say that ECPA is outdated and poses a threat to people’s privacy. [The Hill]

Workplace Privacy

NZ – Is it Wrong to Send Personal Emails to Work Addresses?

The Legal Complaints Review Officer (“LCRO”) of the Office of the Privacy Commissioner, New Zealand, determined that there was a risk that a confidential email sent by an lawyer to an individual’s work email account might have been accessed by others in the workplace (the fact that this did not appear to have occurred did not detract from concern about the risk); however, the LCRO declined to make a disciplinary finding, claiming that it was not appropriate to make an example of the lawyer when the use of email for communication needed more discussion by the Law Society and its members. [Source]

US – Barriers to BYOD? A Lack of Trust In Employers to Protect Privacy

A new survey released by AdaptiveMobile finds only 30% of more than 5,000 employees of global organizations are happy with “employers managing their corporate mobility service.” In total, 84% of respondents listed privacy as a top-three concern with the use of personal devices for work. Almost half simply wanted to keep work and private life separate, but a full quarter also said they have a general mistrust of their employer “being granted any type of control over their devices.” [ZDNet]

US – Federal Background Checks, One Year After The Navy Yard Shooting

A year after a Navy and Marine Corps subcontractor killed 12 people at the Washington Navy Yard, the federal government has fired the firm that handled most of its background checks, conducted multiple reviews of security-clearance processes and changed key screening policies. Now the government is touting major reforms of the process, which faced challenges long before incidents with Alexis and Edward Snowden brought critical problems into focus. In a February report, the council said screeners need greater access to state and local police reports. It concluded that they can’t always view records that could raise red flags, oftentimes because of legal and technological limitations. The review echoed findings from the House Oversight and Government Reform Committee. OPM said it now has increased its engagement with local and state police agencies and is working on IT upgrades to connect more with crime databases. The Obama-appointed council also called for OPM to conduct follow-up investigations every five years for employees and contractors who hold clearances. That requirement is now in place. In addition, it also recommended reducing the number of workers who hold clearances. The Defense Department made the same recommendation in its review of the shooting, released in March. Clapper has directed all agencies to identify clearances they could eliminate. The Pentagon has said it expects to reduce the number of Defense authorizations by 10 percent. Earlier this month OPM announced another major change: It said it would not renew its contract with USIS for background checks. In Congress, lawmakers have also proposed various background-check bills. [Source]

+++

01-15 September 2014

Biometrics

WW – Academics Unveil Facial Recognition Technology for Shopping

Academics at the Chongqing Institute of Green and Intelligent Technology in southwest China say they have developed a new system of facial recognition software that is capable of taking images of shoppers’ faces from 91 angles. The information is then analyzed over a period of just a couple of seconds using two million data sets, with an accuracy rate of 998 out of 1,000. The system could be operational from the second half of 2015 and would allow shopping without PINs or passwords as identifiers. Meanwhile, a judge has issued a warning about the consequences of a rape conviction based on DNA collected at a police station despite the alleged perpetrator’s protest. [International Business Times]

US – GM to Launch Eye-Tracking Technology for Distracted Drivers

General Motors is preparing “to launch the world’s first mass-produced cars with eye- and head-tracking technology” that can decipher whether drivers are distracted. Australian group Seeing Machines has signed an agreement with a manufacturer to supply GM with tracking devices for up to 500,000 vehicles over the next three to five years, the report states. “The technology raises significant privacy concerns over how manufacturers and insurers will store and handle the data, though Seeing Machines’ devices will not keep or transmit the information, at least initially,” the report states. [Gulf News] See also: [Car Hacking Is The New Car Jacking] [US: GM reportedly ready to introduce facial recognition tech in cars]

Canada

CA – B.C. Government Set to Review Controversial Privacy Law

Until Sept. 19, B.C. residents have an opportunity to voice any concerns over the provincial Personal Information Privacy Act (PIPA), which has been criticized for overstepping the boundary when it comes to the privacy rights of citizens. The key concerns with PIPA include how personal information is handed over to government authorities and other organizations without a warrant or consent, and citizens aren’t notified when their information has been given up. It was enacted in 2003 and last reviewed in 2008. The special committee, comprised of MLAs, is expected to issue a report to the Legislative Assembly on the review’s results by Feb. 25, 2015. “The committee is undertaking a comprehensive review of B.C. private sector privacy legislation,” said MLA Mike Bernier, committee chair, in a media release. “We are holding a public consultation to gather important information on how well the act is working, and whether changes are necessary.” [Source] [Metro News]

CA – Peterborough Lawsuit Sets Precedent for Ontario Patient Privacy Rights

A class-action suit against Peterborough Regional Health Centre to be heard by the Court of Appeal in December will determine whether patients can sue hospitals for invasion of privacy. [Toronto Star] See also: With the certification of Evans v. The Bank of Nova Scotia, the newly introduced tort of intrusion upon seclusion has become another weapon in the arsenal for the class-action plaintiffs’ bar. [Law Times] See also: [Focus: Privacy class actions on the rise]

CA – B.C. Police Too Prying In Volunteer Background Checks

A privacy watchdog is calling on B.C.’s privacy commissioner to investigate whether police departments are being too intrusive in the questions posed to potential volunteers and employees. The B.C. Freedom of Information and Privacy Association said several police departments are collecting “unnecessary, inappropriate and excessive personal information” from people applying for paid and unpaid positions. The non-profit association was approached by someone applying for a volunteer position with the Delta Police Department’s community police section. They had been given a 25-page “integrity and lifestyle questionnaire” asking about sexual activity, drug use, finances and whether the applicant has ever been unemployed or on welfare. Applicants also have to undergo a polygraph test and a background investigation and are told “deceit, dishonest or non-disclosure concerning questions in this document may result in your disqualification from current or future civilian employment opportunities.” “This kind of statement encourages respondents to disclose further personal information even when it is not specifically asked for,” said Vincent Gogolek, the association’s executive director. Once the privacy association started investigating, it found many police departments across B.C. have similar questionnaires, he said. The association is asking B.C.’s information and privacy commissioner, Elizabeth Denham, to determine whether police departments are invading people’s privacy with these questions. Denham’s office confirmed it had received the complaint and said staff would be reviewing it before deciding whether to launch a formal investigation. [Source]

CA – Audit Raises Concern About Prisoners’ Privacy Rights

The federal organization with one of the worst track records on privacy continues to suffer from lack of awareness, lack of training and a lack of reporting, according to a recent audit. Auditors reviewing the privacy of inmates at federal institutions noted that Correctional Service Canada staff didn’t report all privacy breaches, believing some incidents weren’t breaches at all. Auditors noted that they saw first-hand an inmate return a report to guards because the document was given to him by mistake. The potential privacy breach wasn’t reported, auditors wrote. According to the report, CSC staff were told that institutional culture, “fear of reprimand” and lack of awareness about “what actually constitutes a privacy breach” were among the reasons why privacy breaches weren’t being reported. The internal audit team concluded “offender safety may be jeopardized if these systemic issues continue.” The audit renewed concerns about the privacy practices in prisons that were identified in 2006, with auditors noting that CSC had yet to implement some recommendations from that eight-year-old report. The service was to implement sweeping changes by the end of July, including training packages. [Source]

Consumer

US – Airbnb Sued Over Privacy Concerns—Anonymously

Airbnb has been sued by 21 anonymous New Yorkers who hope to prevent the home-sharing website from turning over their personal information to the New York Office of the Attorney General, CNBC reports. Airbnb said in May that it will comply with a subpoena from New York Attorney General Eric Schneiderman during his probe of illegal hotel operations in New York City, the report states. The case involves a law that prohibits residents of multiple buildings to rent out their apartments for less than 30 days unless they are also at their apartments. Airbnb has said it will withhold the renters’ info until a court tells it otherwise. [CNBC]

E-Mail

EU – Microsoft Agrees to be Held in Contempt So It Can Appeal Case

Microsoft has reached a deal with the U.S. government in which it will agree to be held in contempt of court in order to move an email privacy case on to appeal. The case involves a U.S. government demand for emails stored on a server in Dublin, Ireland. The Obama administration has said the company must comply with valid warrants for data, even if it’s held overseas, the report states. “Everyone agrees this case can and will proceed to the appeals court,” said Microsoft in a statement. “This is simply about finding the appropriate procedure for that to happen.” [Ars Technica] [ZDNet] [SCMagazine] [The Register] [Stipulation Regarding Contempt Order]

US – Tech Giants Want Vote on Email Privacy Act

A host of technology companies including Google, Microsoft, AOL and Yahoo have written to congressional majority leaders requesting a vote on the Email Privacy Act, which has seen no movement since it was proposed last summer, despite having the support of more than half the house. congressional supporters of the bill say the delays are due to attempts to attach other provisions to the bill. According to the letters, the bill, which is an update to the Electronic Communications Privacy Act, would “eliminate outdated discrepancies between the legal process for government access to data stored locally in one’s home or office and the process for the same data stored with third parties” in the cloud. [The Hill]

Encryption

WW – CryptoWall More Prolific Than CryptoLocker

Analysis from Dell SecureWorks Counter Threat Unit shows that CryptoWall ransomware has passed infection rates of its relative, CryptoLocker. In just five months, CryptoWall infected an estimated 625,000 computers around the world, collecting more than US $1.1 million in ransom. [SC Magazine]

WW – Mozilla Retires 1,024-bit Certificates; 100,000+ Websites Now “Untrusted”

Because Mozilla allowed its 1,024-bit certificates to expire, more than 100,000 websites are now considered untrusted by that company’s browsers. Chrome has not allowed its 1,024-bit certificates to expire due to just those concerns. [The Register]

UK – ICO Fines Ministry of Justice Over Unencrypted Prison Records

The UK Information Commissioner’s Office (ICO) has fined Ministry of Justice GBP 180,000 (US $298,500) for losing a device that contains unencrypted prison records. In May 2012, the Prison Service issued new hard drives with encryption capabilities to all 75 prisons in England and Wales. The ministry, for which this is a repeat offense, was reportedly unaware that disk encryption needed to be switched on. The missing device contained personal data about nearly 3,000 inmates. The data include health information, visitor information, and prisoners’ links to organized crime. [NextGov] [v3.co.uk]

WW – CryptoPhone Identifies Rogue Cell Towers

Rogue cell towers, also known as IMSI catchers, can track smartphones and intercept calls, often without detection. “It’s only a matter of time before they’re as ubiquitous as GPS trackers.” In response, German firm GSMK has developed a firewall for its high-end, secure CryptoPhone. The system—reportedly the first of its kind—can detect when a rogue cell tower is connecting to the phone but is currently only available for Android phones. CSMK’s CryptoPhone 500 combines its operating system with a Samsung Galaxy S3 device, while offering end-to-end encryption. Additionally, in response to the rise of IMSI catchers, the Federal Communications Commission is developing a task force to address the issue. [Wired]

EU Developments

EU – DPA: RTBF Ruling Bolsters Regulators’ Roles

After Europe’s top court created a right to be forgotten, an almost-forgotten battle involving Facebook was resurrected. The European Court of Justice (ECJ) May ruling bolsters Hamburg data protection regulator Johannes Caspar’s case aiming to force Facebook to comply with German law, which Caspar discussed with the company at an August meeting. Facebook says it is only bound by Irish rules, as its EU headquarters are in Dublin, Ireland. “The ECJ ruling bolsters the jurisdiction of the national data protection authorities,” Caspar said, adding, “It determines that national law is applicable to data processors which have a unit in the country, even if its activity is merely to to economically support the Internet offerings.” [Bloomberg]

EU – President Calls for Privacy Negotiations to be Completed in 6 Months

Amidst what the Financial Times has called “one of the biggest overhauls of the EU executive in more than a decade”—with incoming European Commission President Jean-Claude Juncker’s announcement of his nominations for a suite of new commissioners—Juncker has called for the “conclusion of negotiations on the reform of Europe’s data protection rules as well as the review of the Safe Harbour arrangement with the U.S.” One large departure under Juncker is his creation of a sort of hierarchy within the commission. Rather than 27 commissioners, there are now two ‘high vice presidents,’ five vice presidents and then 20 commissioners.” [Privacy Advisor]

EU – Ireland Names Dixon as Next DPC; Hawkes Talks Expectations

Irish Data Protection Commissioner Billy Hawkes’ tenure came to an end on August 31, and today, an Irish government committee approved longtime civil servant Helen Dixon as the new data protection commissioner of Ireland. Dixon will have an increasingly important role to play. Mark Scott recently called the position “relatively obscure” but with “global sway.” Hawkes—who was sometimes criticized for having a “light touch” as a regulator—discusses the highs and lows of his tenure and what his replacement may expect, especially given it will be her job to regulate tech giants like Yahoo, Google and Facebook, headquartered in Ireland. [The Privacy Advisor] [The New York Times]

UK – Data Explosion Fuels Growth in Privacy Cases

The number of privacy cases fought in UK courts has doubled in the last five years, amid an explosion in the amount of personal data held and shared by government agencies, and retained by businesses. In the year to 31 May 2014, there were 56 cases in the High Court, up from 28 five years ago, according to figures from legal information provider Thomson Reuters, which said a high proportion of the cases this year involve claims against public institutions, particularly the police. These have included stop and search complaints. Improved data storage and search technology allows personal data on citizens to be much more easily shared and transferred between government departments. The rapid growth in the commercialisation of personal data has created a lot of new threats to people’s privacy. When businesses cross the line, people feel strongly enough to enforce their privacy rights through the courts. [Source] See also UK Prime Minister David Cameron is “expected to unveil plans that make it easier for intelligence agencies to access airline passenger information” as part of the government’s strategy to fight terrorism. [PressTV] and The Swiss Federal Council said the European Court ruling on data retention has no effect on Swiss laws. The Swiss law on telecoms surveillance is under review, with an aim to increase the required data storage period to 12 months. [Telecompaper] and [Decision No 2014-693 DC March 25 2014 – The Constitutional Council, France]

Facts & Stats

WW – GPEN: 85% of Apps Fail to Protect Privacy

The results from a survey of more than 1,200 mobile apps by 26 privacy regulators from around the world has found 85% of apps fail to provide basic privacy information, according to a UK Information Commissioner’s Office press release. Nearly 60% of the apps left users struggling to find basic privacy information, and 43% did not adequately tailor privacy notices to a small screen. [UK ICO] See also Disconnect Mobile app, Google has once again removed it from its Google Play Store. UPDATE: [Privacy guard Disconnect Mobile returns to Google Play]

WW – Study Reveals Popular Android Apps Put Privacy, Security at Risk

A newly published study has revealed that many of Android’s most popular apps—including Instagram, Grindr and OKCupid—do not take basic security measures to protect users’ data. Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) analyzed a broad range of Android-specific apps to find security vulnerabilities and plan to release one YouTube video per day disclosing their findings. UNHcFREG’s Ibrahim Baggili said, “What we really find is that app developers are pretty sloppy.” Many of the vulnerabilities included lack of encryption of images stored on servers, messages between users and other data traffic. Baggili also said the team has contacted developers of the apps that were analyzed. [PC World] See also: [Xiaomi under investigation for sending user info back to China]

Filtering

WW – Google Kicks Off RTBF Meetings

Google’s inaugural right-to-be-forgotten meeting in Spain, noting the company’s advisors “took just three questions from the public.” The Madrid meeting is the first of seven set across Europe, but some are criticizing the meetings as publicity stunts. “Whatever Google would have done would have been considered PR,” said Luciano Floridi, an Oxford philosophy professor and current panelist, adding future events will devote more time to questions. Jef Ausloos, a researcher at Belgium’s University of Leuven, said, “What we need to know now, is how exactly this should happen, what the role is for national data protection authorities.” [Bloomberg] See also: After Europe’s top court created a right to be forgotten, a battle involving Facebook and Hamburg data protection regulator Johannes Caspar was resurrected. [Bloomberg]

CN – China Snooping on Scholars’ Google Searches

People conducting research in China are being watched by authorities when they conduct Google searches. Public Internet users in China are not able to use Google at all, but scholars at research institutions are able to use the search engine through the CERNET education network. Authorities in China were able to see what those scholars were researching until Google began encrypting searches. Now China uses a man-in-the-middle attack to keep an eye on CERNET users’ searches. [InfoSecurity] [NextGov] [Netresec] In a related story, a Chinese man is suing state telecommunications company China Unicom for blocking his access to Google]

Finance

US – Bank of America Finalizes 32 Million Dollar Settlement in TCPA Class Action

A U.S. District Court in California has approved a $32 million Telephone Consumer Protection Act settlement, ending a class-action against Bank of America and FIA Card Services that alleged the defendants systematically called or texted consumers’ cell phones through automatic dialing systems and/or prerecorded voice systems without express consent [Hunton & Williams Privacy and Information Security Law Blog See also: [Adobe Class-Action Moves Forward | Home Depot Suit Filed]

US – Verizon Fined for Customer Privacy Violations

Verizon has agreed to pay US $7.4 million for failing to notify approximately two million customers of their privacy rights and to settle charges Federal Communication Commission (FCC) that it used customer billing and location data in targeted marketing campaigns aimed at trying to sell them other Verizon services. Communications companies may do this if they first obtain customers’ permission. [CNN] [ArsTechnica] [FCC] See also: Carrier IQ and a group of mobile phone manufacturers have asked a judge to dismiss a class-action accusing the software maker of violating several privacy laws, including a federal wiretap law. [Verizon failed to tell 2 million people it was using their personal info for marketing. Now the FCC is making it pay]

FOI

CA – Number of People on Canadian No-Fly List Must Stay Secret: Government

Federal security officials are resisting pressure to reveal how many people are on Canada’s no-fly list, arguing the information could help terrorists plot a catastrophic attack on an airliner. In newly filed court documents, the government also contends that divulging the figure might damage relations with key allies, especially the United States. Information Commissioner Suzanne Legault is challenging the government’s refusal to disclose the data to a Montreal journalist who requested it under the Access to Information Act. La Presse reporter Daphne Cameron filed two requests for figures from 2006 through 2010 — one for the total number of people on the list, the second for the number of Canadian citizens. Legault’s office investigated Cameron’s complaint against Transport Canada and recommended last year that the agency release the figures. Transport Canada refused to comply, prompting Legault to take the case to the Federal Court of Canada. In withholding the numbers, Transport Canada invoked a section of the access law shielding information whose release could interfere with the conduct of international affairs as well as the detection, prevention or suppression of “hostile activities.” The U.S. has revealed there are about 16,000 people — including fewer than 500 Americans — on its no-fly list. In a 2012 report, the watchdog that keeps an eye on CSIS said confusion over how the no-fly list should work had “significantly undermined” its potential to help keep the skies safe. The Security Intelligence Review Committee said the notion of “an immediate threat to civil aviation” was open to interpretation, and federal agencies had “struggled” with nominating people for the list. [Source] See also: [AU – Clear and Present Danger to Freedom of the Press] and [CA – Prentice expense report requesters leaked, raising privacy concerns] and [CA – Soldiers on Viagra part of a list of secrets held by Harper government] and [CA – Calgary: Some city councillors argue for hike in FOIPP charges]

Health / Medical

US – Second Healthcare Sector Cyber Security Exercise to Start in October

According to a press release from the Health Information Trust Alliance (HITRUST), the second cyber security exercise for the healthcare sector, CyberRX 2.0, will begin in October 2014. More than 750 healthcare organizations have signed up to take part in the cyber attack simulation exercise. The program has been expanded to offer three tiers of participation: Local/Basic, Regional/Mature, and National/Leading. [SC Magazine] [HITRUST Alliance Press Release]

US – Web Portal Delays HIPAA Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has delayed the launch of a second round of HIPAA audits in an attempt to implement new web portal technology. “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before,” said OCR Senior Adviser Linda Sanches. The portal will automate some elements of the auditing process, lightening the load on human resources. Sanches also encouraged healthcare providers to have a list of business associates prepared, and while the requirements of the audits remain the same, Adam Greene of Davis Wright Tremaine notes that the documentation must be meticulous. [FierceHealthIT] See also: [ON: Surgery room ‘black box’ poised to change medical culture]

US – Court Tosses Advocate Health Suit; CarrierIQ Asks Judge for Dismissal

A federal court based in Illinois has thrown out a putative class-action against Advocate Health and Hospitals that alleged the organization violated the Fair Credit Reporting Act (FCRA) by not appropriately securing health data stolen from its facilities. The judge ruled the hospital cannot be considered a credit-reporting agency covered by the FCRA. [Law360]

US – Exploring Health Data Collection, Marketing

The health data marketing ecosystem and hundreds of medical databases are up for sale to willing marketers. “People would be shocked if they knew they were on these lists,” said World Privacy Forum President Pam Dixon. “Yet millions are.” Directories including such category headings as “Suffering Seniors” or “Aching and Ailing” and other lists categorized by diagnosis, including 2.3 million cancer patients, are reportedly available. In February, Sen. Jay Rockefeller (D-WV) introduced legislation to limit such lists, but the Direct Marketing Association (DMA) said self-regulation is the better route. “We have very strong self-regulation,” said DMA Vice President for Government Affairs Rachel Nyswander Thomas, adding, “Regardless of how the practices are evolving, the self-regulation is as strong as ever.” [Bloomberg] Separately, the Vermont attorney general has settled a computer privacy case with a leasing company. SEI/Aaron’s has agreed to pay $45,000 to the state and $2,000 to each of the three customers who were affected. And [ON – Concerns raised over demographic data collection at Toronto hospitals] [NL: Donna Colbourne fined in Western Health privacy breach]

WW – Epidemiologist: Accurate De-Identification Important for Research

Daniel Barth-Jones, an HIV and infectious disease epidemiologist at Columbia University, writes about the importance of accurate de-identification methods in response to the paper Privacy, Anonymity and Big Data in the Social Sciences from MITx and HarvardX MOOC scholars Jon Daries, Justin Reich and others. Barth-Jones writes that the view that “anonymization is an obsolete tactic made increasingly difficult by advances in data mining and big data” is short-sighted, noting, “de-identification should rather be appropriately taken as part of an integrated and multidimensional approach for fashioning effective public policy for big data privacy.” [FierceBigData] SEE ALSO: [Concerns raised over demographic data collection at Toronto hospitals] and [UK HSCIC Data Pseudonymisation Review: Interim Report – Health & Social Care Information Centre]

WW – Apple Updates Language on HealthKit’s Permitted Data Uses

Apple has updated the language in its HealthKit platform to explicitly state that consumer health information is off-limits to data farmers. Developers who create software using the HealthKit’s application programming interface (API) are only permitted to gather data that’s used to enhance services outlined in the apps’ policy, and selling the data to advertisers is forbidden. “Your application must not access the HealthKit APIs unless it is primarily designed to provide health and/or fitness services, and this usage is clearly evident in your marketing text and user interface,” states Apple’s HealthKit license. [Tech Times]

Horror Stories

WW – Massive Celebrity Hack and Leak Raises Cloud Questions

Hundreds of intimate photos and videos of female celebrities were leaked online over the weekend, many of them allegedly stemming from hacks of Apple’s iCloud service. A spokesperson for Oscar-winning actress Jennifer Lawrence said the hacks and subsequent disclosure of such images are a “flagrant violation of privacy.” In a column for Mashable, Christina Warren asks, in light of the hack, how secure is the cloud? Twitter has suspended accounts of users who have posted the stolen data, and a legal representative for Lawrence said, “The authorities have been contacted and will prosecute anyone who posts the stolen photos.” The Atlantic’s Jennifer Valenti writes about the ethics of looking away from the disclosed personal information, noting that people who look at the photos “are violating these women in much the same way that the person who stole the pictures did.” [Newsweek] See also: [Taking a Naked Selfie? Your Phone Should Step In to Protect You]

WW – Apple Says iCloud Accounts Were Breached in Targeted Attack

Apple has acknowledged that several celebrities’ iCloud accounts were compromised, but the company said it was done by guessing or stealing login credentials rather than breaching Apple’s iCloud security. There was public speculation that the accounts had been breached using a recently disclosed exploit for Apple’s Find My iPhone service, but Apple denies that was the case, saying that the breaches were the result of “a very targeted attack on user names, passwords, and security questions.” [BBC] [DarkReading] See also: [Apple Patches Flaw in Find My iPhone | Source] See alwso: [Google Locks Down Stolen Credentials]

US – Home Depot Investigating Reports of Payment Card Data Breach

Home improvement retailer Home Depot has confirmed that it is working with its “banking partners and law enforcement to investigate” reports of a data breach. The company declined to comment further until the investigation is complete. The attorneys general (AGs) of Connecticut, Illinois and California are leading a multi-state probe into a data breach disclosed by Home Depot, said Connecticut AG George Jepsen. The IAPP featured an interview with Jepsen on AG enforcement priorities. [Home Depot breach could be one of the biggest in history] [Krebs] [DarkReading] [SC Magazine] [The Register] [BBC]

US – Temple University Announces Breach Affecting Nearly 4,000

Temple University has announced a breach involving the theft of an unencrypted desktop computer containing personal information on 3,780 patients from a physician’s office. The computer contained files with such information as name, age and billing codes but did not include Social Security numbers or financial data, the report states. The theft was reported to police, and the university says it has offered identity-monitoring services to all affected patients for 12 months and has taken steps to prevent such a theft in the future. [The Philadelphia Inquirer] See also: [US – 900,000 Customers Affected in Goodwill Breach] and [NZ – Earthquake data privacy breach ‘avoidable’]

US – AGs Probing Home Depot Breach

Meanwhile, Bartell Hotels has announced a data security breach at five of its San Diego-area hotels; a university is shutting down online voter registration following a data breach in February; Ernst & Young has been accused by a Canadian customer alleging customer business data was found on two Dell servers he purchased in 2006; a Goodwill data breach has been linked to a third-party vendor, and Miranda Alfonso-Williams offers advice on “five ways to prevent costly data breaches” at your business. [Reuters]

US – JP Morgan Breach a “Legacy” Issue

Hackers managed to breach the cyber-defenses at JP Morgan just as the bank’s cybersecurity chief was getting acquainted with his new position and the organization’s vast technology infrastructure, Bloomberg reports. Greg Rattray had just been appointed the company’s head of information security when the June breach incident started. “It sucks that this happened at the beginning of Greg’s watch, but this is a legacy issue,” said Trend Micro Chief Cybersecurity Officer Tom Kellerman. “They had an acting person who was juggling way too much, with no one fully dedicated to the role for a bit of time.” [Bloomberg] [US: Casinos may offer lessons about protecting privacy]

Identity Issues

CA – StatsCan Considering ‘Virtual Census’ to Replace Head Count

Statistics Canada is studying a radical new method of counting how many people live in this country — one that could eventually replace the census with a “virtual population register.” Chief statistician Wayne Smith said the agency’s work on building a virtual census is one part of its aggressive pursuit of innovation. A virtual census relies heavily on administrative data: giant caches of information collected by government in the regular course of business. Statistics Canada already uses 500 databases drawn from federal, provincial and municipal governments, and the private sector. Among many other things, those data files provide information on individual incomes taxes, corporate taxes, payroll deductions, employment insurance, building permits, births and deaths, even telephone bills. A handful of European countries — Finland, Holland, Sweden, Denmark and Germany — have scrapped their survey-based censuses in favour of population counts that rely heavily on an amalgam of administrative data. Sometimes, that data is combined with information from sample surveys. Smith conceded that the growing reliance on administrative data raises enormous privacy issues, but he insisted that the statistics agency operates within strict limits. [Source]

IN – Controversial Biometric Project in India May Go Ahead

The largest biometric identification projects in the world — India’s attempt to give an ID number to 1 billion people linked to fingerprint and iris scans — may be going ahead under the new government. The winning Bharatiya Janata Party had said during last spring’s election campaign that it would review the controversial program for a secure ID to get government benefits. However, this week it approved a 2015 target for voluntary enrollments, signalling that it will back the project. [itworldcanada.com] See also: [South Carolina boy sues over makeup removal for driver’s license photo]

Law Enforcement

US – Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G networkwithin the next few years, which means current stingrays will no longer work. [Ars Technica]

Offshore

PH – Philippine House to Rewrite Privacy Bill

After certain stakeholders criticized the current draft of a privacy bill in front of the Philippines House of Representatives, the House will rewrite the bill—a request made by its author, Rep. Rufus Rodriguez [The Philippine Star].

WW – APEC Cross Border Privacy Rules Update

Markus Heyder provides an update on the status of the APEC Cross-Border Privacy Rules. See also: [SG – Monetary Authority of Singapore – Consultation Paper on Proposed Credit Bureau Regulatory Framework and Credit Bureau Bill]

Online Privacy

US – Why Privacy Policies Are So Inscrutable

The Atlantic reports on why privacy policies are so inscrutable, analyzing 50 of the most popular websites in the U.S., whose policies, taken together, totaled 145,641 words—or the equivalent of The Grapes of Wrath . “Today’s privacy policies don’t tell consumers the whole story for two main reasons,” the report states, noting that, first of all, “websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines.” And second, the rise in data brokerage firms has created a lucrative industry around consumer profiling. The column delves into the vagueness of many basic terms, particularly consent, explicit consent and third-party data sharing. Of the 50 privacy policies analyzed, 48 interact with other third parties, but only nine say which ones. [The Atlantic]

WW – Facebook Messenger Tracking ‘A Lot More Data Than You Think’

“Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance,” tweeted Jonathan Zdziarski, a noted author and expert in iOS related digital forensics and security on Tuesday. In an email to VICE’s Motherboard, Zdziarksi told reporter Matthew Braga that Facebook logs “practically everything a user might do within the app.” “[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote. News of Zdziarski’s findings spread swiftly around the web this week, prompting Facebook to issue the following statement: “These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what and where people tap – when we noticed that people were using the ‘Like’ stickers a lot, we modified the app so that people could send them with fewer taps.” [CBC] See also: [The Economist: Everything people do online is avidly followed by advertisers and third-party trackers] and also: [Facebook Generation Rekindles Expectation of Privacy Online]

WW – Facebook Testing Update Option with Expiration Dates

Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek] See also: [Facebook being more proactive in pushing users to check privacy settings]

Other Jurisdictions

AU – Report into Serious Invasions of Privacy in the Digital Era released

The Australian Law Reform Commission’s Final Report, Serious Invasions of Privacy in the Digital Era (Report 123, 2014) was tabled in Parliament and is publicly available. The Terms of Reference for this Inquiry, required the ALRC to design a tort to deal with serious invasions of privacy in the digital era. In this Report, the ALRC provides the detailed legal design of such a tort located in a new Commonwealth Act and makes sixteen other recommendations that would strengthen people’s privacy in the digital environment. The Report also recommends that a new Commonwealth surveillance law be enacted to replace existing state and territory laws, to ensure consistency of surveillance laws throughout Australia, and a number of other reforms to supplement the statutory cause of action. The Report and a Summary Report is available to freely download or purchase in hard copy from the ALRC website. The Report is also freely available as an ebook. [Source] See also: [AU – New laws open door for ACT information privacy commissioner]

AU – Australian Law Reform Commission Recommends Privacy Invasion Tort

The Australian Law Reform Commission is recommending a new Commonwealth tort for serious invasions of privacy [ZDNet]. See also: [Attorney General, Government of Australia – Confidential Industry Consultation Paper: Telecommunications Data Retention – Statement of Requirements] and Austrian Justice Minister Wolfgang Brandstetter would like a data retention law following the Constitutional Court’s decision to strike down Austria’s existing law in July. [Telecompaper]

US – Miles Driven Tax Could Replace Gas Tax

It hasn’t hit the fastlane yet. But the controversial idea of imposing a mileage-based driving tax in California is gaining speed. The Legislature last month approved Senate Bill 1077, which authorizes a pilot program to explore a “road usage charge” as a potential replacement of the state gas tax. The bill would have no authority to impose the charge. But just the concept a mileage-based fee, and the related idea of the government tracking one’s driving habits, has stirred concerns over privacy, fairness and excessive taxation. [Source]

Privacy (US)

US – FTC Announces Panelists, Topics for Upcoming Workshop

The FTC has announced the agenda and panelists for its upcoming big data workshop, which aims to look at the use of big data and its impact on consumers, including those who are low-income or underserved. FTC Commissioner Edith Ramirez will make the opening remarks at the September 15 event in Washington, DC. Panelists will include Princeton University’s Solon Barocas, Promontory’s Michael Spadea, the Electronic Frontier Foundation’s Jeremy Gillula, Georgia Institute of Technology’s Peter Swire and the World Privacy Forum’s Pam Dixon, among many others. The workshop will look at what’s on the horizon with big data, survey the legal landscape and consider the path forward. [Press Release]

US – White House Names New CTO and Deputy CTO

The White House announced today the appointment of Google’s Megan Smith as U.S. Chief Technology Officer (CTO) and former Twitter Counsel Alex Macgillivray as Deputy CTO. Both have long histories in Silicon Valley. Smith also served as CEO of PlanetOut, an early online forum for the LGBT community that is now defunct, in addition to a number of roles at Google, including her most recent post as VP of Google[x], where new projects are developed. Macgillivray was deputy general counsel at Google before taking the lead counsel role at Twitter and was a lawyer with Wilson Sonsini Goodrich & Rosati before that, representing clients like Creative Commons and the Internet Archive. Among the new CTO team’s tasks, a White House statement said, will be a “focus on policy matters,” including items like “where big data and privacy intersect.” Most recent U.S. CTO Todd Park will remain with the White House “to help recruit technologists to federal service.” Most recent Deputy CTO Nicole Wong departed the White House recently to return to California. [Washington Post]

US – FTC Complaint and Final Decision and Order on Credit Karma App

An FTC order (in effect for 20 years) resolves complaints that a mobile app company failed to securely transmit consumers’ sensitive personal information; the company’s app developer used code that disabled SSL certificate validation “in testing only” but the company failed to ensure this code’s removal from the production version of the app that was shipped to consumers and failed to perform an adequate security review of its app prior to launch. The company is required to implement a comprehensive security program (including training in secure engineering and defensive programming), and requiring service providers to implement and maintain appropriate safeguards. [FTC]

US – EFF Argues Against CISA

The Electronic Frontier Foundation makes its case to pass the USA FREEDOM Act and kill the Cybersecurity Information Sharing Act in this release. See also: [In Re Application of the Federal Bureau of Investigation for an Order Requiring the Production of Tangible Things – BR 13-25 – Foreign Intelligence Surveillance Court]

US – REDEEM Act Needs a European Import: The Right To Be Forgotten

The unlikely duo of Sens. Rand Paul (R-KY) and Cory Booker (D-NJ) recently announced the REDEEM Act, a bill intended to facilitate the sealing of adult criminal records. According to the proposed legislation, those convicted of nonviolent crimes can petition to have their criminal records sealed. The legislation would have significant consequences for those who have committed nonviolent crimes, calling for a limited right to be forgotten in the U.S. “so that the common-sense goal of allowing Americans to achieve a better future can be realized.” [The Privacy Advisor]

US – Google Accord With Harvard Tie Fails Judge’s Smell Test

Google’s settlement of a privacy lawsuit likely won’t win approval because its terms include a donation to Harvard University and other schools that attorneys involved in the case attended, a judge said. [Reuters]

US – Hoofnagle Opines on Big Data Impacts on Civil Liberties and Society

UC-Berkeley Prof. Chris Jay Hoofnagle writes that use-regulation “has tremendous implications for civil liberties and our society,” adding, “Ultimately, it can help determine how much power companies and governments have.” [Slate]

US – Judges Hear Appeal Against NSA Spying; Congress Questions Secret Spying Law

During this week’s review of the legality of the NSA’s bulk collection of phone records, the panel of federal judges expressed concerns about the privacy implications of NSA tactics. The ACLU has challenged a lower court’s decision to uphold the NSA practices, arguing they are unconstitutional. One judge said, “We don’t know what we don’t know” about the operations. Meanwhile, four House Democrats are protesting what they call a “secret law” that allows spying on Americans’ emails and is a “threat to democracy.” The legislators are asking President Barack Obama “to ban ‘disproportionate or unnecessary’ collection of people’s messages, Internet chats and other communications,” the report states. [FOX News] [Slate]

Privacy Enhancing Technologies (PETs)

WW – Programmers Developing Privacy-Enhanced Skype Alternative

A group of programmers famous for frequenting such sites as 4Chan, Hacker News and Reddit are working on an open-source, security-focused replacement for Skype. Tox, as the project is called, is “yet another example of programmers uniting in the post-Snowden era to make easy-to-use tools with encryption and privacy considerations built in.” Tox uses encrypted peer-to-peer networking and eliminates the need for messages to travel through a central server, the report states, and users are given a Tox ID to allow for anonymity. [PCWorld] See also: [Book Review: No Place To Hide: Worth a Read, Maybe Two] See also: [Australian patents privacy indicator for Google Glass]

WW – Privacy Big Ingredient in Apple’s New Products Release

Apple unveiled a slew of new products this week, including the iPhone 6 and 6 Plus as well as the Apple Watch, Apple Health Kit and Apple Pay. The product launch comes a week after a targeted hack of celebrities, which has been tied to Apple’s iCloud. Now that it is releasing products that will handle the most sensitive of personal data, including financial, location and health data, the company is placing a huge onus on privacy and security. “Security is at the core of Apple Pay,” said Apple CEO Tim Cook. McDermott Will & Emery Attorney Jennifer Geetter said, “Given the popularity of the iPhone and its uncanny ability to know what we want before we know, anything Apple does now compounds and expands the existing challenge of meeting consumer expectations while protecting privacy.” [Politico] [On the Privacy Challenges Ahead for Apple]

WW – New Platforms Make the User the Data Broker

A slew of platforms are designed to give users the ability to sell their personal information to advertisers and marketers. Datacoup, Handshake and Meeco all share the same goal of cutting out the data-broker middleman by allowing users to profit from their personal data. “The way we see it,” said Handshake CEO Paul Davis, “your data belongs to you. So if someone should be making a profit on it, it should be you.” MIT Technology Review also profiles Datacoup. [NPR] See also: AVG Technologies has unveiled a new short privacy notice for its most popular apps. The easy-to-read disclosures are meant to resemble a nutritional label, showing what the company does and does not collect as well as how and why data is shared. Meanwhile, less than 24 hours after reinstating the

RFID

US – NYC Firefighters Are Being Tracked With Military-Developed Radio Tags

New York City’s fire department is experimenting with outfitting its firefighters with $20 radio tags. Think of it as an E-Z Pass for tracking firefighters during the confusion of an emergency. “It’s in a little sealed plastic — it looks like a little key fob, actually,” said George Arthur, a Naval Research Laboratory engineer, in a statement. “They’re positioned over the left breast, inside the bunker coat in a little Kevlar pocket that’s sewn in there. And it just sends out a little ping every five seconds: Here I am, here I am, here I am.” Back on the truck, a $1,100 reader picks up the signal. “It just listens and says, ‘Okay, 1234, that’s Jessica Smith,’ so we know Jessica Smith is nearby,” said NRL’s David DeRieux. The data is also sent back to the FDNY’s command center in Brooklyn, too, and projected on a wall to help in the wide-scale coordination of firefighters. They are currently testing the technology on 15 trucks. But how well can the technology determine firefighters’ precise locations — like what floor of a building they are on? Indoor tracking, admits the Naval lab’s DeReiux, is “a very tough nut to crack,” in part because a six-inch shift in any direction could mean the difference of being on one side of a wall or the other.[Source]

Security

WW – Need for Privacy Operations at Nonprofits

A recent study of nonprofits revealed many are, on average, increasing staff dedicated to technology-related issues, and as many as 64% included technology as part of their operational plans. These results “are generally encouraging,” writes Network Advertising Initiative Executive Director Marc Groman, but “information privacy controls and data governance are conspicuously absent from the survey and discussion.” Groman points out nonprofits “often possess vast amounts of data” and that “it isn’t simply about investing in new technology” but also integrating “privacy considerations and responsible data governance” into the organization’s management practices. He writes it is “critical” that someone within a nonprofit has responsibility for information privacy. [Privacy Perspectives]

WW – Does Training Actually Thwart Breaches?

In a LinkedIn blog post, George Washington University Law School’s Daniel Solove discusses whether employee training really can reduce data security breaches. “Coming up with a quantifiable return on investment for training is challenging because the threats are constantly changing,” Solove writes, adding that it’s not just training that matters but the quality of that training. Among the many reasons to train employees—including that it creates a culture of compliance, all it takes is one person to create an incident, and it’s often the law to train—the bottom line is that no organization is going to suffer because they trained employees, but plenty have because they didn’t. [LinkedIn] See also: [Ernst & Young accused by Canadian used computer dealer of data breach]

Surveillance

US – Groups Reveal Decade-Old Memos Authorizing Wiretapping

The Justice Department has released two decade-old memos describing the Bush administration’s legal justification for the warrantless wiretapping of Americans’ phone calls and emails. The program began in secret after the September 11 attacks and was justified, according to the memo, by the fact that the “president has inherent constitutional power to monitor Americans’ communications without a warrant in a time of war.” The memos were obtained by the Electronic Privacy Information Center and the ACLU. Meanwhile, a coalition of 40 groups including the ACLU has asked the Senate to prioritize passing the latest version of the USA FREEDOM Act without weakening it. [The Washington Post] See also: [US: Army’s eyes in the sky built to spot people from 5 kilometers away]

Telecom / TV

US – Unsealed Documents Show Yahoo Fought PRISM Compliance

Recently unsealed documents reveal that the US government threatened Yahoo with a US $250,000-a-day fine if it did not comply with the PRISM data collection program and surrender user communications information. Yahoo had been fighting the demand in court; the government was able to use the ruling from the Foreign Intelligence Surveillance Court of Review to convince other technology companies to comply with their data demands. That same court ordered the documents unsealed. [Washington Post] [NYTimes] [ArsTechnica]

US – Comcast Using Public Wi-Fi Hotspots to Inject Ads

People who use Comcast’s public Wi-Fi network are finding that they are receiving pop-up advertisements for the company’s service. Comcast calls the practice “watermarking.” Comcast uses JavaScript to inject the content into the data flows of users who have signed up to use the company’s Wi-Fi hotspots around the country. Comcast says that the messages are there to assure users that they are using a legitimate Comcast hotspot. [The Register] [PC World] [ArsTechnica]

US – US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G network within the next few years, which means current stingrays will no longer work. [Ars Technica] See also: [MN: Inmates lose telephone privacy]

US Government Programs

US – FISA Court Renews NSA Metadata Program

The Foreign Intelligence Surveillance Court has reauthorized the National Security Agency (NSA) program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]

US Legislation

US – Two Bills Head to CA Gov for Signing

There are two bills heading to California Gov. Jerry Brown for signing, both of which deal with issues affecting student privacy. SB 1177 describes privacy guidelines for operators of websites, online services and mobile applications, while AB 1584 focuses on obligations with contracts between local education organizations and third-party technology vendors. Assembly Education Committee Chief Consultant Rick Pratt said, “There really was very little if any protection that would guard the security, the privacy, the confidentiality of student information … and so hopefully bill 1584 and 1177 will provide some security and privacy where it doesn’t exist in current law right now.” A representative from Common Sense Media said it’s “a landmark regulatory scheme.” In separate news, school officials have said the Oklahoma State Department of Education violated student privacy laws. [Government Technology] and [Does California’s “Kill Switch” Bill for Smartphones Risk Privacy for Personal Safety?]

US – North Carolina Advances Further Drone Legislation

The North Carolina General Assembly has advanced the Appropriations Act of 2014, which includes a provision giving anyone surveilled without a warrant “civil cause of action against the person, entity or state agency that conducts the surveillance or that uses an unmanned aircraft system to photograph for the purpose of publishing or otherwise disseminating the photograph.” [HSToday.us]

Workplace Privacy

US – Every Three Minutes, a Worker’s Personal Device Is Remotely Wiped

While the bring-your-own-device trend is on the upswing, so are remote data-wipes of workers’ personal phones, tablets and laptops, according to PA-based firm Fiberlink Communications Corp., which specializes in mobile device management. Fiberlink’s software wiped 81,000 devices in the first six months of this year, compared with 51,000 in the last six months of 2013. That’s an average of 450 per day or three per minute. The WSJ reports that employers are not required to make a distinction between personal and professional information when erasing data. [The Wall Street Journal] See also: [Canada: Limited Protection of Dependents’ Personal Information In Group Insurance Matters]

+++

01-15 June 2014

Biometrics

US – NSA Collecting Millions of Web-based Facial Images

The latest leak from Edward Snowden reared its head over the weekend when The New York Times reported that the U.S. National Security Agency (NSA) has been collecting millions of facial images from texts, social media, video conferences and e-mail over the last four years. According to the documents, the NSA intercepts “millions of images per day” including nearly 55,000 “facial recognition quality images.” A representative from the Electronic Frontier Foundation said, “The government leads the way in developing huge face recognition databases, while the private sector leads in accurately identifying people under challenging conditions.” In related news, the NTIA is set to host its latest meeting in the process of creating a self-regulatory code of conduct for the commercial use of facial recognition on Tuesday. Meanwhile, Reddit, Imgur and BoingBoing are joining the “Reset the Net“ campaign to protest mass surveillance. [New York Times]

US – NIST Finds Facial Recognition Accuracy Is Improving

The National Institute of Standards and Technology (NIST) has released results from its 2013 study on facial recognition algorithms, finding that accuracy is noticeably improving, according to a NIST press release. Compiled by biometrics researchers Patrick Grother and Mei Ngan, Performance of Face Identification Algorithms found that accuracy is up 30% since 2010. “We studied the one-to-many identification because it is the largest market for face recognition technology,” Grother said. “These algorithms are used around the world to detect duplicates in databases, fraudulent applications for passports and driving licenses, in token-less access control, surveillance, social media tagging, lookalike discovery and criminal investigations.” [NIST]

WW – Will Facial Recognition Tech Soon Be Reading Our Emotions?

Facial recognition is becoming “emotional recognition,” The Atlantic reports, where advances in technology “could give anyone sporting a future iteration of Google Glass the ability to detect inconsistencies between what someone says (in words) and what that person says (with a facial expression).” A recent study indicated humans “are capable of reliably recognizing more than 20 facial expressions and corresponding emotional states.” When the study was conducted with a facial recognition software program, the accuracy rate was “on the order of 96.9% in the identification of the six basic emotions,” the report states, continuing on to predict, “We run the serious risk of losing, little by little, our spontaneous humanity, appearing more and more like the predetermined algorithms that observe and judge us.” [The Atlantic]

US – Should the Facial Recognition Code Apply to the Gov’t? Could It?

Stakeholders met for the sixth in their series of meetings organized by the National Telecommunications and Information Administration (NTIA) in hopes of creating a voluntary code of conduct on facial recognition technology. This meeting aimed to look at the risks and issues the process’ participants identified since last month’s meeting. It also looked at a list of drafted definitions the not-yet-existent code could include. The most passionate debate yesterday centered around what the code should say about government access to raw images and what standards should apply to requests by governments to gain access to such information. [Privacy Advisor]

US – No Joke: Secret Service Wants Sarcasm-Detection Algorithm

According to a work order released by the U.S. Secret Service last week, the agency tasked with protecting current and former national leaders is asking developers to create an algorithm that can detect and delete online sarcasm. Additionally, the work order calls for the development of software capable of targeting “influencer identification,” “access to historical Twitter data,” the “ability to search online content in multiple languages,” “audience segmentation” and “data visualization representations, (like) heat maps.” A Secret Service spokesman said the “objective is to automate our social media monitoring process. Twitter is what we analyze. This is real live stream analysis … We are looking for the ability to quantify our social media reach. We aren’t looking solely to detect sarcasm.” [Ars Technica]

Canada

CA – Supreme Court Rules In Favor of Online Anonymity

Canada’s Supreme Court ruled unanimously that ISPs may not provide police with customers’ names, addresses and phone numbers without a search warrant. The case involved Matthew David Spencer, who was charged with possessing child pornography “and making it available to others” in a file-sharing network after a detective “found his publicly available child pornography” and “asked Shaw Communications for the IP address,” the report states. The government argued, “There is no objective reason to think that an Internet service provider must keep such basic information as an address and a name private, let alone shield it from a child pornography investigator.” Writing for the court, Justice Thomas Cromwell said, “Anonymity is an important safeguard for privacy interests online.” [The Globe and Mail] See also: [Police watch key Internet privacy appeal] and also: [Posting porn photos of ex-girlfriend called ‘despicable’ and ‘morally wrong,’ but not illegal, judge rules]

CA – Rogers Opens Curtain on Warrantless Government Snooping

Rogers Communications gave Canadians their first real peek behind the curtain of warrantless government snooping Thursday, revealing they were asked almost 175,000 times for their customers’ data in 2013. Rogers became the first major Canadian telecommunications provider to issue a transparency report, revealing aggregate numbers on how many law enforcement requests they receive in a year.More telecom and Internet service providers are expected to follow suit, as Canadian customers learn more about the scope of government access to their personal data. [The Canadian Press]

CA – Therrien Testifies on Bill C-13

Testifying before the House of Commons Justice Committee on Tuesday, Privacy Commissioner Daniel Therrien urged the government to split Bill C-13 “to allow for thorough examination of several measures that would expand online monitoring,” Ottawa Citizen reports. Bill C-13 would make it illegal to share “intimate images” without consent and would “remove barriers to getting such pictures scrubbed from the Internet—changes Therrien supports,” the report states. However, the report states, Therrien’s office has warned that provisions giving authorities tools to track telecommunications “would dangerously lower the proposed threshold” for access to personal information. Meanwhile, MP Charlie Angus has written to Treasury Board President Tony Clement “to convene an independent expert panel to make recommendations on securing Canadians’ privacy in the digital era.” [Full Story] [Commissioners Cavoukian, Clayton, and Denham’s Joint Letter to the Standing Committee Reviewing Bill C-13] and also: [Privacy watchdog cancels cyberbullying bill appearance]

CA – Conservatives Keep New Surveillance Powers in Cyberbullying Bill C-13

The Conservative government has rejected calls to change a controversial cyberbullying bill, preserving a broad range of new police surveillance powers that critics warn will infringe on Canadians’ privacy rights. The House of Commons Justice Committee wrapped up its review of Bill C-13, with the Conservative-dominated committee voting down nearly every proposed amendment. They did so despite calls from the federal ‎privacy commissioner, provincial commissioners, civil liberties groups and other experts to change parts of the bill to rein in the broad surveillance powers and warrantless access to private information. The bill was tabled as an anti-cyberbullying law, but also gives telecommunications companies immunity for handing private data over to police without a warrant. It creates a range of new surveillance warrants, such as one allowing police to install software on someone’s phone, with what critics say is too low an evidence threshold – in other words, they warn it will be too easy for police to get approval to spy on Canadians. Finally, the bill hands the broad new powers to a range of public officials, not just police. [Source]

CA – Therrien Experts Examine Facebook Class-Action

The BC Supreme Court’s recent certification of a class-action suit against Facebook over its “Sponsored Stories.” Reed Smith’s Mark S. Melodia and Frederick Lah write, “In the Canadian case, one of the main issues was whether Facebook users have the protection of BC’s Privacy Act, or instead, whether Facebook’s online Terms of Use overrode these protections.” The court pointed to a section of BC’s Privacy Act that states actions under the Privacy Act “must be heard and determined by the Supreme Court,” the report states, and defined the class as “all BC residents who are or have been Facebook members at any time between January 2011 and May 2014 and whose name or picture was used as part of the Sponsored Stories.” [Mondaq]

CA – Therrien Confirmed as Commissioner, Criticizes C-13 in Committee

Just days after NDP Leader Tom Mulcair hammered Prime Minister Stephen Harper over his nomination of Justice Department lawyer Daniel Therrien to take over as federal privacy commissioner, The Globe and Mail reports that the House of Commons voted 153 to 75 to approve Therrien. Meanwhile, CBC reports, Therrien voiced support for splitting Bill C-13 to a Parliamentary committee, a plan advocated by the Canadian Bar Association and others. He also advocated for an independent review of the bill, saying, “I think Canadians want to know more about why police and security agencies require information.” He likely knows more than most Canadians, as he’s given legal advice on surveillance to security agencies in the past. Therrien’s first order of duty is to testify before the committee considering Bill C-13 on June 10. Editor’s Note: The Privacy Advisor rounded up heated reaction to Therrien’s nomination last week. [Full Story] and [Canada: New privacy watchdog approved with Conservative and Liberal support]

CA – BC Supreme Court Certifies Class-Action Against Facebook

The BC Supreme Court has authorized a lawsuit against Facebook claiming that its practice of publishing users “likes” of businesses on their friends’ pages violates the BC Privacy Act. Through Facebook’s “Sponsored Stories” program, companies can pay to use a person’s name and likeness as proof of an endorsement. Plantiff lawyer Christoper Rhone says doing this without consent breaches the BC Privacy Act. In the court decision, BC Supreme Court Justice Susan Griffin said one key question is whether BC users of foreign social media sites have the protection of the BC Privacy Act, adding, “Given the almost infinite life and scope of internet images and corresponding scale of harm caused by privacy breaches, BC residents have a significant interest in maintaining some means of policing privacy violations by multi-national internet or social media service providers.” [CBC News]

CA – OPC: S-4 Will Allow Data Sharing without Consent

While Bill S-4 intends to overhaul online privacy rules, introduce new penalties for breaches and give new powers to the Office of the Privacy Commissioner (OPC), the OPC warns it also opens the door for the sharing of consumer data between private companies without consent. Patricia Kosseim, OPC senior general counsel and director general, told a Senate committee on Wednesday the bill’s data-sharing provision “could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office.” Industry Minister James Moore, who is leading government efforts to pass the bill said, “These rules ensure that information is only released when there is a reason to believe the law has been broken.” [The Globe and Mail] [InfoWorld]

Consumer

WW – Survey: Consumers Won’t Trade Privacy for Convenience

While users worldwide are “thrilled by the ease and convenience of their smartphones and Internet services,” they aren’t willing to trade their privacy for more of it. That’s according to a new survey of 15,000 consumers in 15 countries conducted by EMC Corporation. 51% of respondents said they aren’t willing to trade “some privacy,” while 27% said they are. 41% said they “believe the government is committed to protecting” their privacy, while 81% said they expect privacy to erode over the next five years. “Consumers worldwide seem to strongly agree with the notion that there should be laws ‘to prohibit businesses from buying and selling data without my opt-in consent’—87%,” the report states. [The New York Times] See also: [UK: Young people give up privacy on Google and Facebook ‘because they haven’t read 1984’]

CA – Nearly all Canadian Businesses Collect Personal Info: Survey

The percentage of Canadian businesses collecting their customers’ personal information has sharply increased over the last seven years, a new survey for Ottawa’s privacy watchdog reveals. A total of 97% of companies surveyed in 2013 said they collect their customers’ personal information, including name, address, and telephone numbers — up from 63% in 2007. But while the number of companies collecting Canadians’ personal data is increasing, the number concerned about losing that data seems to be on the wane. Half of the businesses surveyed said they were “not at all” concerned about data breaches in 2013 — while only a year earlier 40% indicated some concern about such breaches. “58% of surveyed companies do not have guidelines in place in the event of a breach where the personal information of their customers is compromised.” [Source]

E-Government

CA – Federal Agency Seeks to Widen Surveillance of Demonstrators In Canada

The federal government is expanding its surveillance of public activities to include all known demonstrations across the country, a move that collects information even on the most mundane of protests by Canadians. The email requesting such information was sent out this week by the Government Operations Centre in Ottawa to all federal departments. “The Government Operations Centre is seeking your assistance in compiling a comprehensive listing of all known demonstrations which will occur either in your geographical area or that may touch on your mandate,” noted the email, leaked to the Citizen. “We will compile this information and make this information available to our partners unless of course, this information is not to be shared and not available on open sources. In the case of the latter, this information will only be used by the GOC for our Situational Awareness.” Wesley Wark, an intelligence specialist at the University of Ottawa, said such an order is illegal. “The very nature of the blanket request and its unlimited scope I think puts it way over the line in terms of lawful activity,” said Wark. “I think it’s a clear breach of our Charter rights.” Wark said the only lawful way a Canadian government agency, with the appropriate mandate, would have to monitor a demonstration would be if that agency could establish that the protest would constitute some kind of threat to civil order. “But it has to be specific and it has to be justifiable in law to mount such surveillance,” he added. [The National Post]

E-Mail

WW – Google Testing eMail Encryption Plug-in

Google is testing a tool for its Chrome browser that allows users to encrypt their email. The End-to-End plug-in uses OpenPGP to encrypt, decrypt, digitally sign, and verify messages in Chrome. The plug-in is currently in alpha testing mode and is not yet available in the Chrome Web Store. [DarkReading] [v3.co.uk] [CNN] [ArsTechnica] [GOOGLE] and also [Google Street View prank creates murder scare]

Electronic Records

US – National Health IT Office Unveils 10-Year Plan

The Office of the National Coordinator for Health IT has outlined a 10-year plan to develop an “interoperable health IT ecosystem that can simultaneously improve population health, boost patient engagement and lower costs.” By 2024, the office’s health IT infrastructure and data standards aim to support “robust information sharing and aggregation,” the report states. Meanwhile, the new Healthkit app for iOS8 acts as a dashboard that can collect and summarize health data from other connected apps or third-party fitness devices. But how do this and other similar apps negotiate with HIPAA rules, asks a NetworkWorld report? [FierceHealthIT] and [US: Group Of Electronic Health Record Vendors To Become Officially Interoperable]

Encryption

WW – New OpenSSL Vulnerability Revealed; Searching for New Privacy Tech

In another blow to online encryption, a researcher has found a new and severe vulnerability in the OpenSSL cryptographic library that allows bad actors to potentially decrypt and change web, e-mail and virtual private network traffic that is protected by the Transport Layer Security (TLS) protocol. TLS is the most common way to encrypt traffic on the Internet. “The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari, etc.) aren’t affected,” said Google software engineer Adam Langley in a technical analysis. He added, “Nonetheless, all OpenSSL users should be updating.” Meanwhile, The Wall Street Journal reports on finding privacy-enhancing technology in a post-Snowden world. [Ars Technica]

WW – Google to Name Non-Encrypting E-mail Providers

Google announced in a blog post that it will begin publicly identifying which companies support and do not support e-mail encryption as part of its transparency reports, and the company plans to unveil a piece of encryption code called End-to-End, which will attempt to add a level of encryption to solve the issue of other sites not supporting Transport Layer Security. According to the blog post, 65% of traffic sent to Google servers is not encrypted. Gmail Delivery Team Tech Lead Brandon Long wrote, “The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can’t do it alone.” ACLU Technologist Christopher Soghoian said, “Google’s naming. We can shame … And we will.” [Google Blog] See also: [When Bad Passwords Make a Great Dress]

EU Developments

US – Microsoft Fights U.S. Order to Disclose E-mail Stored Overseas

In a continuing legal battle, Microsoft is challenging a U.S. federal court order to turn over a customer’s information stored in a data center in Ireland—possibly the first time a corporation has challenged such a warrant. Additionally, Verizon filed an amicus brief on Tuesday that parallels Microsoft’s arguments, and, according to the report, more companies are expected to join. In a court filing made public on Monday, Microsoft contends that if the order were upheld, it “would violate international law and treaties and reduce the privacy protection of everyone on the planet.” Peter Swire said, “This is a policy decision as well as a legal one.” [The New York Times]

EU – Ministers Agree EU Privacy Law Applies to Non-EU Business

EU justice ministers reached a partial agreement on the proposed overhaul of EU data protection law. The ministers agreed to rules governing international data transfers and the territorial scope of the proposed regulation, the report states. EU Justice Commissioner Viviane Reding said, “It’s in the interest of companies to have legal certainty rather than having to spend money on costly lawsuits only to arrive at the same result at the end.” The main sticking point is the so-called “one-stop-shop” mechanism. A European Data Protection Supervisor representative said, “Everyone agrees that a one-stop-shop is necessary, but there are about 20 different ideas of what that should mean in practice.” The lack of full agreement means a final round of negotiations cannot resume until October. [PC World]

EU – EU DPAs to Form Right-To-Be-Forgotten Task Force

A panel of watchdogs will be formed in the EU to examine “right-to-be-forgotten” takedown requests. A member of the Article 29 Working Group said the move was approved in a meeting in Brussels. The panel will reportedly analyze how regulators should respond to citizen complaints about Google’s management of takedown requests. [Bloomberg]

EU – EU Council Unlikely to Back One-Stop-Shop

EU ministers are not expected to reach an agreement on the proposed “one-stop-shop” (OSS) component of the proposed General Data Protection Regulation (GDPR). On Tuesday, an EU official said, “The discussion hasn’t moved on to be honest since the last council,” and an EU presidency source said finalizing the OSS “is out of the question.” A “discussion text” to resolve the disagreement was passed out last week, but some member states, including Germany and the UK, have expressed concern their nations could be subject to unwanted data protection rules. European Data Protection Supervisor Peter Hustinx said, “I expect the council will mark that progress has been made, but will probably not give the OK to the final version,” adding, “with the one-stop-shop principle, it can only work if we think in terms of close collaborations.” [EUobserver]

EU – Council May Offer Tweak to Proposed “One-Stop-Shop” Mechanism

The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction. The presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states. [Out-Law]

EU – UK Man Wins Damages Under Spam Rules

Retailer John Lewis has been prosecuted for sending unsolicited e-mails in a privacy ruling “that could open the floodgates for harassed consumers.” A producer for Sky News brought the case, and a county court said the company acted unlawfully because it couldn’t prove Roddy Mansfield agreed to receive the e-mails or was a customer. This is the third time Mansfield has won damages for receiving spam under the Privacy and Electronic Communications Regulations. [Sky News]

EU – Garante Publishes New Cookie Rules

Garante, the Italian data protection authority, has published new provisions on consent and policies around online cookies, emphasizing the difference between “technical” cookies and “profiling” cookies. For technical cookies, the presence of a privacy policy will suffice. However, when using profiling cookies, sites will need to gain consent and notify the Garante of the practice. The provisions also distinguish between first- and third-party cookies, drawing a line between the liability of publishers and of others. “On this point the DPA is clear: As for the to third parties cookies, the editor acts as a mere technical intermediary and does not have any responsibility for privacy infringements,” the report states. [eLex]

EU – Room: Regulators Acting Like EC Proposal Is In Effect

While proposed EU data protection reforms may be far from becoming law, “Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” Stewart Room told SC Congress attendees, noting that “with regulators and courts already acting according to the new thinking embodied in” the proposal, increased fines are the only big change that would come with its passage. Room also addressed the recent European Court of Justice ruling against Google, noting that it shows that “anyone with power over data will be treated as a data controller” and that EU authorities have no fear in taking on big tech firms. [ComputerWeekly]

EU – Malta’s Education Minister Suspends Student Data Request Pending Report

Education Minister Evarist Bartolo has suspended the implementation of a legal notice allowing him and “unspecified” authorities to request student information from school representatives. Legal Notice 76 would require school representatives to hand over data relating to students’ abilities and identity card numbers or face criminal charges. Bartolo contacted the Data Protection Commissioner once the notice was passed, and the commissioner set up a working group to determine the privacy concerns and whether the notice breached the privacy act. The notice is suspended pending the working group’s report. [The Independent]

EU – Swiss Gov’t Surveillance Bill Sparks Protest

The Swiss government has proposed legislation that would increase its ability to access electronic communications and Internet data and strengthen mandatory data retention laws. The proposal contains “provisions which greenlight government use of Trojan horse software and IMSI catchers” for criminal investigations and increase data retention requirements on telcos, telecom-enabled communications providers and non-commercial providers as well. The bill easily cleared the Council of States, the report states. Privacy rights activists have planned a protest against “BÜPF,” as it’s called. [Access Now]

WW – Apple Talks Privacy Amongst Plans to Connect Home, Devices

At the Worldwide Developers Conference on Monday, Apple unveiled plans to connect users’ mobile devices with an array of Internet-connected home appliances, Politico reports. Apple Senior Vice President Craig Federighi said, “We thought we could bring some rationality to this space.” McKenna Long & Aldridge advisor Dan Caprio said, “When you see a company like Apple (talking) about open standards and interoperability, that’s the next phase,” adding, “It’s a very big deal for consumer applications.” Other updates include a new API for the fingerprint sensor and encrypted e-mail storage on the cloud. Additionally, Apple will make privacy-enhancing search engine DuckDuckGo available on its Safari browser. However, The Hill reports that privacy advocates are examining Apple’s new features, including plans for a new fitness data center. [Source]

US – Brill to Push Back Against Use-Based Privacy Frameworks

The FTC’s Julie Brill spoke in Brussels yesterday about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk, Politico reports. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator. [Politico]

Facts & Stats

WW – Cloud Breaches Are Three Times Costlier, Report Finds

While many IT professionals might say differently, a data breach in the cloud could be at least three times as costly as a typical security breach, a recent IT survey indicates. The Ponemon Institute report surveyed more than 600 U.S.-based IT and IT security professionals. Meanwhile, cloud software startup Okta will announce later this week that it’s secured a new round of funding via Sequoia Capital, putting its pre-money valuation at nearly $600 million, and Google is getting behind an open source cloud computing technology called Docker

US – HR Analytics Firm Secures $25.5 Million

Visier has attracted $25.5 million in new financing as “the growth of its software business applying big data analytics technologies to the human resources market” continues. The company’s CEO says it is the next step in the development of HR technology. The company’s software uses “natural language processing” to return information from direct queries about business processes and human resources information “directly to the end-user, without having to take any additional steps,” the report states. Visier’s customers include companies like Nissan Automotive, energy company Exelon Corp. and government agencies in cities across the U.S. [Tech Crunch]

Finance

US – CFPB Collecting Info on Mobile Financial Services

The Consumer Financial Protection Bureau (CFPB) has announced it is looking “into the opportunities and challenges associated with the use of mobile financial services.” The regulatory agency wants to know more about how consumers are using such services, including a focus on economically vulnerable customers. Four areas of interest for the CFPB include access for the underserved, real-time money management, customer service, privacy concerns and data breaches. The move “suggests that the bureau may attempt to use its authority under the Dodd-Frank Act to expand further into arenas touching on telecommunications and privacy and data security.” [Consumer FInance ] [Ad Law Access]

US – Credit Union Association Renews Calls for Federal Data Security Standards

With the P.F. Chang’s breach fresh in the headlines, National Association of Federal Credit Unions (NAFCU) President and CEO Dan Berger is renewing calls for national data security and breach notification standards. “It has been almost six months since Target’s data breach, and we still have no new data security standards for retailers,” he said, adding, “Since Target, there has been a major data breach discovered almost every month. The continued lack of national data security standards is an open invitation to cybercriminals.” Credit unions are subject to the Gramm-Leach-Bliley Act, but retailers are not, the report states. Meanwhile, P.F. Chang’s is reportedly using carbon-copy credit card machines after their recent breach. [Gov Security News]

US – 77,000 Non-U.S. Financial Organizations Agree to Share Data with IRS

Associated Press reports on a new data sharing agreement between the U.S. Internal Revenue Service and more than 77,000 foreign banks, investment funds and other financial organizations to help curb offshore tax evasion. As of March 2015, the organizations have agreed to share account holder names, account numbers and balances for U.S. taxpayer accounts. Under the Foreign Account Tax Compliance Act (FATCA), foreign institutions that do not participate face harsh penalties when conducting business in the U.S. “The strong international support for FATCA is clear,” said Deputy Assistant Treasury Secretary for International Tax Affairs Robert Stack. [AP]

FOI

CA – Sharp Increase in Ottawa Blocking Release of Records, Watchdog Says

Canada’s Access to Information Commissioner received a major increase in complaints over the past year related to federal departments blocking the release of government records. In her annual report tabled this week, Commissioner Suzanne Legault urges the government to improve its performance as soon as possible, after complaints rose by more than 30%. “This decline in performance must be promptly addressed,” she states. “Canadians should be concerned and speak out whenever their quasi-constitutional right of access is in jeopardy.” [The Globe and Mail]

CA – Freedom of information gets D on P.E.I.

Access to government information on P.E.I. is limited says a new report from Newspapers Canada, and the information commissioner herself is complaining she hasn’t got the resources to do her job. Information and privacy commissioner Maria MacDonald wrote in her annual report she is falling farther and farther behind in reviewing files where government has refused to provide information under the province’s Freedom of Information Act. MacDonald’s position is part-time, three days a week. She inherited a backlog of cases when she got the job. And every year that pile of cases grows. Some date back to 2010. “It’s not a secret we have been struggling since the office opened basically with the backlog of file reviews,” she said. [CBC News]

Genetics

CA – Human Tissue Removed for Medical Tests is ‘Personal Property’ of Institution, Not Person it Came From: Ruling

In a precedent-setting decision that could eventually affect everything from stem cell research to billions in pharmaceutical spending, an Ontario court has ruled that excised human tissue is private property and that it belongs not to the person from whom it came but to the institution that holds it. The ruling, which came in the preliminary phase of a medical malpractice case, is the first “clear, definitive statement about tissue being property in Canada,” said Tim Caulfield, a Canada Research Chair in health law and policy at the University of Alberta. If held up by other courts, it could eventually limit the ability Canadians have to decide what’s done with their own blood samples, tissue biopsies and genetic data. [Source]

Google

EU – Google to Flag “Right To Be Forgotten” Search Results

In the continuing developments after last month’s European Court of Justice ruling on the so-called “right to be forgotten,” Google has indicated it will flag search results it has censored after a takedown request has been accepted. The message would be similar to ones notifying users when a copyright takedown has been enacted. Google also said it will include statistics on takedown request removals in its biannual transparency report. As of June 9th, the company had received approximately 41,000 takedown requests. Google CEO Larry Page said that, of those requests, nearly one-third involved a fraud or scam, one-fifth a serious crime and 12% were connected to child pornography arrests, the report states. [The Guardian]

WW – Google’s New All-Seeing Satellites Have Huge Potential—for Good and Evil

With the $500 million purchase of Skybox, a startup that shoots high-res photos and video with low-cost satellites, Google can extend its reach far across the offline world. Thanks to its knack for transforming mass quantities of unstructured data into revenue-generating insights, the unprecedented stream of aerial imagery to which the company is gaining access could spark a whole new category of high-altitude insights into the workings of economies, nations, and nature itself. But this acquisition will also demand assurances from Google that it will incorporate privacy safeguards into its vast new view of the world. [Wired]

Health / Medical

WW – Apple to Release Health-Tracking App

Apple will this week introduce a new health-tracking app at its annual Worldwide Developers’ Conference. The app will monitor users’ footsteps, heart rate and sleep activity, the report states, initially pulling data from third parties’ health and fitness hardware. Apple will likely release a smart watch later this year, however, that will synch with its app. Meanwhile, Nick Bilton describes some of the risks inherent in homes that are connected to the Internet of Things. “I can’t shake the feeling that one day, maybe, just maybe, my entire apartment is going to get hacked,” Bilton writes. [The New York Times]

US – Apple’s HealthKit Raises Eyebrows Among Experts, Advocates

Following the debut of Apple’s HealthKit last week, healthcare experts and privacy advocates are voicing concerns over the sharing of confidential data and use of medical terms. One healthcare expert recently noted, for example, that data on a user’s phone isn’t covered under HIPAA, but it may be if it’s transmitted to a doctor, provider or pharmacy. Meanwhile, a report on the MIT Digital Summit suggests mobile apps and cloud computing “may soon end the doctor’s reign as the be-all, end-all of medical care,” and a federal IT panel recently took “baby steps” toward using technology to ensure future privacy protections for electronic health records. [FierceMobileHealthcare] See also: [How Can Healthcare Get Security Right?]

WW – Android Changes App Update Permissions Change Notification

A change in the way automatically updated Android apps inform users about changes in permissions could put users at risk of having their information shared, or allowing their device to send SMS messages from apps without their knowledge. Formerly, apps displayed any permission changes when they updated automatically. Now, permission changes are not displayed if users have previously allowed a permission in the same category. [ArsTechnica] See also: [“WARNING Your phone is locked!” Crypto ransomware makes its debut on Android]

US – Startup Unveils “Wearable Health Record” for Google Glass

Healthcare tech startup Drchrono has developed a new “wearable health record” application for Google Glass. Doctors can use it to record a consultation or surgery with patient consent, and then videos, notes and photos can be stored in the patient’s electronic health record. Dr. Bill Metaxas, who uses the technology, has warned physicians to be diligent about obtaining patient consent prior to use and to lock down the app’s security settings. “Google is still in the early stages of determining the most viable use cases for Google Glass,” Drchrono Cofounder Daniel Kivatinos said, adding, “But some doctors are demanding Glass, so Google is providing resources and support to developers.” [Reuters] See also: [Smartwear revolution promises healthier lives but raises privacy concerns]

WW – Worried About Getting Glassed? A Berlin Artist Offers One Solution

A Wired report offers a solution to those worried about Google Glass’s ability to surveil . A Berlin artist, Julian Oliver, has written a program called Glasshole.sh that detects any Google Glass device attempting to connect to a WiFi network—it’s effectively a “glass-detector,” capable of sending a “deauthorization command,” cutting off the WiFi connection and emitting a “beep” to alert others that a Glass wearer is nearby. “To say, ‘I don’t want to be filmed’ at a restaurant, at a party or playing with your kids is perfectly okay. But how do you do that when you don’t even know if a device is recording?” Oliver said. “This steps up the game. It’s taking a jammer-like approach.” [Wired]

US – What’s Top Privacy Concern for Healthcare Execs? Access Management

A new report from KLAS reveals that identity management and unauthorized data access by employees tops the table for healthcare executives’ biggest privacy and security concerns. The report, “Security and Privacy Perception 2014: High Stakes, Big Challenges, “ is based on a survey of 104 healthcare providers and found that, according to the respondents, there is no clear leader in healthcare security services. The top five services healthcare organizations were looking for included HIPAA and Meaningful Use risk assessment; attack and penetrating testing; privacy assessment; HIPAA breach advisory services, and mobile security advisory services. Additionally, 75% of academic medical centers said they were “prepared” or “very prepared” for an Office for Civil Rights audit. The second leading privacy concern, according to the report, is bring-your-own-device and remote security policies. [FierceHealthIT] See also [“Data Breach Fatigue,” Ralph Nader and What It Could Mean for the Privacy Profession] and [Canada: Privacy laws hamper quest to find birth defect’s cause]

Horror Stories

US – AT&T Says Sensitive Consumer Data Accessed in Breach Incident

In a filing with California state regulators, AT&T said an unknown amount of customer data was accessed in a breach. Compromised data included Social Security numbers and call records reportedly accessed between April 9 and 21. California law requires companies to report breaches affecting at least 500 customers. “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,” AT&T wrote in a letter to customers. “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T (that) are used to unlock AT&T mobile phones in the secondary mobile phone market.” The company believes three employees of a vendor may have improperly accessed customer accounts. [PC World]

US – PF Chang’s Investigating Data Breach

US restaurant chain PF Chang’s says it is in contact with law enforcement agencies regarding reports that attackers stole customer payment card data from the company’s systems. Several days ago, thousands of recently stolen credit card numbers and their associated information were offered for sale in an underground forum known for trading in such things. The breach affects cards used at several different locations, suggesting that the attackers breached the company’s point-of-sale network, much like the attacks on Target and Sally Beauty. [KrebsonSecurity] [GovInfoSecurity] [SANS]

US – ComScore Settles Privacy Class-Action for $14 Million

Analytics company comScore has agreed to pay panel members $14 million for privacy violations, and it will revise disclosures to panelists and implement procedures with its partners. U.S. District Court Judge James Holderman must still accept the settlement. Meanwhile, Michaels Stores Inc. is asking an Illinois federal judge to dismiss a class-action lawsuit brought by plaintiffs who claim harm for the company’s data breach. The company argues the plaintiffs lack standing in the case. [MediaPost] See also: [Toronto: Hospital contacts police after patient records of 8,300 mothers breached]

US – House Committee Probing FTC Breach Enforcement

The U.S. House Oversight Committee is launching an investigation into the FTC data breach complaint against LabMD . A lawyer representing security vendor Tiversa told an FTC administrative law judge that the House panel is investigating the company. According to the complaint that was brought against LabMD in 2013, the company exhibited poor data security practices by placing a spreadsheet containing sensitive personal data of more than 9,000 customers on a Tiversa P-to-P network in 2008. LabMD, which has since gone out of business, has argued the FTC does not have the authority to bring such complaints against companies and that it has provided little guidance. [PCWorld]

Identity Issues

US – Subpoena Gives White House Access to Whistleblower Portal

The Project on Government Oversight (POGO) encourages whistleblowers to use Tor to submit tips, but Obama administration lawyers are using the power of the administrative subpoena to take data from the encrypted submission portal. POGO has received, for example, more than 700 tips about abuse and mismanagement at the Veterans Administration in less than a month, the report states. The administrative subpoena does not require probable cause and “comes as the number of so-called drop boxes from media organizations and other whistleblower groups is on the rise in the wake of the Edward Snowden revelations,” the report states. [Ars Technica]

US – Solove: FTC Can Help Halt ID Theft

The FTC already has the legal framework in place to stop a lot of identity theft without needing new laws to be passed, writes George Washington Law School Prof. Daniel Solove. A major contributing factor to identity theft is the use of Social Security numbers (SSNs), which have come to be misused as passwords, and the government has failed to pass measures to protect them, Solove writes. But the FTC can remedy this, because it has the power to regulate organizations’ “reasonable data security protections,” and the use of SSNs as passwords is clearly “unreasonable.” [LinkedIn]

Internet / WWW

EU – European Firms Turn Cloud Into Competitive Differentiator

F-Secure is a European online security company offering secure and private cloud storage. Users can access photos, documents and video files remotely, similar to services offered by Dropbox and Google. F-Secure, however, touts that it does not share user data with third parties or governments. F-Secure’s servers are in Finland, which has some of the world’s strongest privacy laws. F-Secure’s founder said cloud services are “very much about trust,” adding, “As a Finnish security company, we can differentiate ourselves, particularly against U.S. companies.” F-Secure is one of many EU-based companies using robust privacy to compete with U.S.-based services. In a new report into the impact of the cloud (21-page) published by the Economist Intelligence Unit (EIU), consumers could gain greater control of how their personal information is “acquired, shared or used” by engaging with cloud-based services. Co-founder of German-based AntiSpamEurope said, “We have to match the quality of American companies but with the additional benefit of extra security.” [The New York Times]

WW – IT Pros See Danger Ahead with IoT

A study completed by online IT community site Spiceworks on how the Internet of Things (IoT) will impact IT professionals, titled “The Devices Are Coming.” According to their findings, 86% of IT pros admit “to believing the new breed of devices will create security and privacy issues.” Further, only 63% “are investing in security solutions to make the IoT safer for the business in question.” Similarly, while 71% of respondents think the IoT will adversely affect both consumers and internal workforce, 59% said they are “not actively preparing for the impact it may have on business.” Meanwhile, an opinion piece for Computerworld says IT pros may do well managing threats, but are they paying attention to their vendors’ security programs? [IT Pro Portal]

Law Enforcement

EU – EU Bill Would Allow Police Access to Air Passenger Details

The European Commission has renewed its push for the 2011 EU passenger name records proposal after news that a suspect in last month’s shootings at the Jewish Museum in Brussels spent time fighting with a radical Islamist group in Syria. The bill is aimed at protecting EU citizens from terrorists entering the region by air, but it was rejected last year due to privacy concerns. [EUObserver]

WW – Metadata Debate Ongoing in Australia, Canada, U.S.

While the Canadian Supreme Court has ruled IP address information may have privacy interests for individuals, in the U.S., courts continue to grapple with issues around tracking, and the Supreme Court decision on GPS tracking from two years ago has left behind questions. Australia currently allows warrantless collection of telecommunications metadata, but Commonwealth Ombudsman Colin Neave, responsible for inspecting certain police records, in a parliamentary hearing offered up his office to look into the practice. [ITNews] See also: [Commissioner Cavoukian Expects the Toronto Police Service to Follow the Law, launches legal action to halt the indiscriminate disclosure of attempted suicide information by the Toronto Police] and [ON: Police keep low profile while keeping tabs on sex offenders] and also: [Simon Fraser University expanding web sleuth program to track child exploitation]

WW – As Breaches Persist, Cyberinsurance Demand Increases

Amidst recent breach reports, The New York Times reports on the increase in demand for cyberinsurance policies—up 21% from 2012 to 2013. Breaches like the recent one that hit eBay “have become a reality of the business world,” the report states. However, “companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses,” the report states, citing the struggle to quantify losses from “intangible” damages such as loss of brand reputation or sales and for underwriters to find “data they need to figure out how likely it is that an attack will occur, or what it will cost … because most breaches go unnoticed or are never publicly reported.” Meanwhile, Reuters reports cybersecurity experts believe “companies are unlikely to be able to stop their systems being breached. The best defense may simply be either to reduce the data they hold or encrypt it so well that if stolen it will remain useless.” And Business Insurance reports when a major breach occurs, businesses “should be prepared for directors and officers liability-related litigation that is certain to follow.” [New York Times] see also: [TRO LLC – GET IT? Sprung From Prison, Hacker Creates Hedge Fund That Shorts Stocks Of Companies With Security Vulnerabilities]

Location

WW – How “Movement Fingerprints” Reveal Vast Amounts of Personal Data

A new research paper contends that it only takes approximately one week’s worth of geolocation data generated from the GPS signals sent from an individual’s smartphone to qualify as an “unreasonable search” and violation of the Fourth Amendment. A collaboration between lawyers and computer scientists, “When Enough is Enough: Location Tracking, Mosaic Theory and Machine Learning” explores the “mosaic theory” of the Fourth Amendment to show how detailed a picture such aggregated data creates. “It’s not the direct observations,” said co-author and former FTC Technologist Steve Bellovin, “It’s what can be inferred.” Machine learning helps make these inferences, while individuals, by following daily routines with their smartphones, help generate a “movement fingerprint.” The authors noted their goal was “to identify the … point at which long-term government surveillance becomes objectively unreasonable.” Bellovin added, “We put it at a week, based on our research.” [The New York Times]

US – Court Rules Warrant Required for Phone Location Data

The 11th Circuit Court of Appeals has ruled police need a warrant prior to accessing user location data from service providers, noting it is the first ruling of its kind in the U.S. The judges wrote, “While committing a crime is certainly not within a legitimate expectation of privacy, if the cell site location data could place him near those scenes, it could place him near any other scene … There is a reasonable privacy interest in being near the home of a lover, or a dispensary of medication, or a place of worship or a house of ill repute.” ACLU Attorney Nathan Freed Wessler said , “The court soundly repudiates the government’s argument that merely by using a cellphone, people somehow surrender their privacy rights.” [Associated Press]

Offshore

EU – Council May Offer Tweak to Proposed “One-Stop-Shop” Mechanism

The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction. The Presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states. [Out-Law]

WW – Twitter, Netflix, Walmart Among Top Scorers in OTA Audit

The Online Trust Alliance recently evaluated 800 top consumer websites and reports only 30 percent of them made the “honor roll.” Those that made the cut did so by exercising best practices in domain and brand protection, privacy and security. Nearly 70% failed in at least one of the categories. Twitter received the top overall award, with American Greetings, Netflix and Walmart also up top, among others. “These companies represent a broad spectrum, ranging from the fourth highest revenue earner among retailers to the 476th highest,” said the OTA’s Craig Spiezle, adding that means data safety is “achievable by retailers of all sizes and that the criteria is not onerous or costly to achieve.” [OTA]

Online Privacy

WW – Facebook Announces Interest-Based Ad Controls

Facebook has announced it will begin using online data from websites and ads used by Facebook users to serve targeted advertisements, but is also providing users with more controls to see why they’re receiving a given ad and to opt out via the Digital Advertising Alliance opt-out program. “People tell us they want more control over the ads they see,” Facebook wrote in a press release, adding, “If you live in the U.S., you’ll be able to use ad preferences in the next few weeks, and we are working hard to expand globally in the coming months.” [Facebook Newsroom] [A New York University (NYU) graduate student, using 3D printing, has linked real-world nakedness with the ways in which users expose themselves online in a unique way]

US – NSA Chief: Anonymity Is a Thing of the Past

The head of the National Security Agency (NSA), Adm. Michael Rogers, says the concept of total anonymity “might be something of an anachronism.” “In the world we’re living in, increasingly by choice and by chance, we are forfeiting privacy at levels that, as individuals, I don’t think we truly understand,” adding that the NSA is caught in the tension inherent there. Meanwhile, on the first anniversary of the Snowden revelations, Danielle Kehl and Kevin Bankston look at the “real costs of NSA surveillance” for CNN. Despite government assertions otherwise, surveillance doesn’t make us safer, they contend, and now the U.S. cloud computing industry is projected to lose between $25 billion and $180 billion in the next three to five years, among other repercussions. [The Hill]

WW – Microsoft to Implement Simplified Privacy Policy, Promises No Snooping

Microsoft will implement an updated, simplified privacy and services policy that makes it clear the company won’t snoop on users’ e-mail or Skype calls for the purpose of advertising. The updated privacy policy will take effect July 31 and applies to all of Microsoft’s services. Meanwhile, many in the technological community are applauding Apple’s decision to shift how the iPhone searches for WiFi connections via a simple software update. The new version will “undermine a widely deployed system that stores have used to track the movements of customers to analyze shopping habits.” [PC World]

Other Jurisdictions

AU – Turnbull Speaks About RTBF, Big Data and Government Responsibility

Australian Communications Minister Malcolm Turnbull gave a speech at the National Archives Conference that could easily have been titled, “With Great Power, Comes Great Responsibility.” Outlining the historical need to remember, Turnbull noted that in the digital world—and importantly the post-Snowden world—the right-to-be-forgotten debate “has become increasingly relevant.” The recent European Court of Justice decision raises a lot of questions, he says, noting that one is, “Did the court go far enough—is it enough to say that you should be removed from the Google search results?” Turnbull also spoke to the economic opportunities of big data as well as its implications for government. [Full Story] See also: [US: Big Data knows you’re sick, tired and depressed]

AU – AG Introduces Bill to Update Gov’t Privacy in Victoria, AU

Victorian Attorney-General Robert Clark has introduced the Victorian Privacy Data and Protection Bill 2014, which would replace the state’s privacy and law enforcement data security acts. If passed, the bill would create a commissioner for privacy and data protection to be appointed by the government, which would replace the current Victorian privacy commissioner and Victorian commissioner for law enforcement data security. The new commissioner would “promote the state’s privacy principles, guide agencies, investigate privacy complaints and audit agency compliance with statewide data protection standards,” the report states. [ITNews]

AU – AG Welcomes New Privacy Act, Territory Privacy Principles

“The Information Privacy Act supports the development of clear, consistent and easy to understand information sharing practices within the ACT public service,” said Australia’s Attorney General Simon Corbell, in welcoming the passage of the act. The act sets out new Territory Privacy Principles consistent with the recently passed Australian Privacy Principles to guide ACT agencies’ data handling practices. “In a world where technological changes have led to a shift in community perceptions of privacy, people are more willing to share personal information but are also increasingly interested in how their information is handled and managed,” Corbell said. [Full Story]

AU – Credit Providers Get New Regime Under New Australian Laws

Changes to Australian privacy law have changed the default requirements for credit providers reporting to credit reporting bodies. This report reviews what types of transactions fall under the new regime, as well as ways to meet the new requirements. [Mondaq report]

AU – Study Suggests Australian Law Reform Will Mirror UK, Germany

A study by EU-based firm Fieldfisher “suggests that the legal regime around data protection in Australia would soon mirror those in the UK and Germany,” which it states “are quite severe with respect to companies and other organisations holding private data, and such changes would impact the way Australian businesses handle their data.” The report quotes Fieldfisher’s Phil Lee as saying, “We are witnessing a unique legal phenomenon; there is a global convergence of data security law and regulation around the issue of encryption so that it does not matter where in the world your organisation operates—regulators everywhere increasingly expect encryption of sensitive data, computers, databases and applications.” [ZDNet]

NZ – Vincent Examines New Zealand Breach Reporting Law Questions

In a blog post for, Mark Vincent considers the government’s “intention to introduce a mandatory data breach reporting law as part of a raft of proposed changes to its privacy legislation.” If the Privacy Act reforms pass, businesses in New Zealand will have to report all data beaches and will face audits and fines, he notes. “There are some very important questions that they’ll want answered in the exposure draft legislation,” Vincent writes, including what the definition of a breach is and what the threshold of risk of harm should be before the privacy commissioner and those affected by a breach are notified. [IT News]

HK – Hong Kong Data Privacy Laws Not Enough to Stop Stalking

After 14 years of debate on an anti-stalking law, reports that the Constitutional and Mainland Affairs Bureau wrote to lawmakers this week indicating, “The administration is of the view that there are no favourable conditions for us to pursue the matter further.” Privacy Commissioner Allan Chiang Yam-wang said data privacy laws are not enough to protect stalking victims, the report states. “It is disappointing,” he said, adding stalking “is a problem in society that will only get more serious as technology advances … legislation is the best way to solve this.” He added, “It’s like putting out a fire … Should we try to solve the problem now or wait for it to get so serious in the future that we reach a point of no return?” [South China Morning Post]

Privacy (US)

US – Poll: 80% in Favor of ECPA Reform

According to a recent poll of residents in five U.S. states, more than 80 percent are in favor of changing the Electronic Communications Privacy Act (ECPA) of 1986. The poll indicated 64% think the issue of digital privacy is “increasingly important” following the NSA revelations, and 72% said they would be more willing to vote for a candidate who supports reforming the ECPA. The poll was conducted by Digital 4th and surveyed residents of Georgia, New Hampshire and Colorado, among others. [TechCrunch]

US – Suit Claims Disney Violated VPPA

A man has filed a lawsuit against the Disney Channel application on the Roku streaming device. In the proposed federal class-action, James Robinson says The Walt Disney Company violated the Video Privacy Protection Act by sharing information on users’ viewing habits with third parties without users’ consent. Robinson claims Disney sent the data to analytics company Adobe in order to “form comprehensive profiles about a person’s entire digital life. These profiles can then be used for targeted advertising, sold as a commodity to other data brokers or both,” the complaint states. [Courthouse News Service]

US – NTIA Looking for Public Input on Data Collection

The National Telecommunications and Information Administration (NTIA) is seeking public comment as to whether the Obama Administration’s Privacy Bill of Rights should be “clarified or modified to accommodate the benefits of big data.” Last month’s big data reports indicated the possibility of discrimination and other concerns, and the NTIA would now like comments on whether “consumer privacy legislation (could) make a useful contribution to addressing this concern … Should big data analytics be accompanied by assessments of the potential discriminatory impacts on protected classes?” [MediaPost]

US – ComScore Settles Privacy Class-Action for $14 Million

Analytics company comScore has agreed to pay panel members $14 million for privacy violations, and it will revise disclosures to panelists and implement procedures with its partners. U.S. District Court Judge James Holderman must still accept the settlement. Meanwhile, Michaels Stores Inc. is asking an Illinois federal judge to dismiss a class-action lawsuit brought by plaintiffs who claim harm for the company’s data breach. The company argues the plaintiffs lack standing in the case. [MediaPost]

US – Brill to Push Back Against Use-Based Privacy Frameworks

The FTC’s Julie Brill spoke in Brussels about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator. [Politico]

US – Has the Time Come for Statewide Chief Privacy Officers?

As chief privacy officers (CPOs) become increasingly pervasive in the private sector, Government Technology looks whether the time has come for CPOs to become just as common in government departments, maybe even in a statewide role. While tight budgets have hampered governments in terms of hiring CPOs, the IAPP currently has more than 1,500 certified members in the public sector. And that’s expected to grow. “The potential for it to catch on at the state level is certainly there,” said Sallie Milam, West Virginia’s first statewide CPO. Editor’s Note: Sheila Kaplan made the case for state education CPOs in this Privacy Tracker post.[Full Story]

US – House Committee Probing FTC Breach Enforcement

The U.S. House Oversight Committee is launching an investigation into the Federal Trade Commission’s (FTC) data breach complaint against LabMD. A lawyer representing security vendor Tiversa told an FTC administrative law judge that the House panel is investigating the company. According to the complaint that was brought against LabMD in 2013, the company exhibited poor data security practices by placing a spreadsheet containing sensitive personal data of more than 9,000 customers on a Tiversa P-to-P network in 2008. LabMD, which has since gone out of business, has argued the FTC does not have the authority to bring such complaints against companies and that it has provided little guidance. [PCWorld]

US – Rep to Take Shortcut Around ECPA Update

It’s been more than a year since the E-mail Privacy Act was introduced in an effort to update the Electronic Communications Privacy Act, but one of the bill’s authors says he plans to take a shortcut and introduce a privacy amendment in upcoming House Appropriations legislation that would get the same job done. Rep Kevin Yoder (R-KS) says his amendment would ban federal agencies from using “any part of their budget for accessing e-mails using warrantless data requests,” the report states. Yoder said the Fourth Amendment “applies to digital communications, same as with paper communications.” [The Washington Post]

US – Microsoft Fights U.S. Order to Disclose E-mail Stored Overseas

In a continuing legal battle, Microsoft is challenging a U.S. federal court order to turn over a customer’s information stored in a data center in Ireland—possibly the first time a corporation has challenged such a warrant. Additionally, Verizon filed an amicus brief on Tuesday that parallels Microsoft’s arguments, and, according to the report, more companies are expected to join. In a court filing made public this week, Microsoft contends that if the order were upheld, it “would violate international law and treaties and reduce the privacy protection of everyone on the planet.” Peter Swire said, “This is a policy decision as well as a legal one.” [The New York Times] [GovInfoSecurity] [ArsTechnica] [CNET] [Microsoft’s Objection] [Judge’s Order]

US – Poll: 80% In Favor of ECPA Reform

According to a recent poll of residents in five U.S. states, more than 80 percent are in favor of changing the Electronic Communications Privacy Act (ECPA) of 1986. The poll indicated 64% think the issue of digital privacy is “increasingly important” following the NSA revelations, and 72% said they would be more willing to vote for a candidate who supports reforming the ECPA. The poll was conducted by Digital 4th and surveyed residents of Georgia, New Hampshire and Colorado, among others. [Tech Crunch]

US – Sens. Pledge to Examine Facebook’s Tracking Plans

Facebook’s announcement that it will begin targeting advertisements to users based on the sites they visit and apps they use has lawmakers promising they’ll be watching closely. “Facebook’s announcement today to track users as young as 13 outside its website in order to gather information for targeted advertising raises a major privacy red flag,” Sen. Ed Markey (D-MA) said Thursday. Sen. Jay Rockefeller (D-WV) said there’s a “need to closely review” the plans. Meanwhile, author Julia Angwin writes for ProPublica on why online tracking is “getting creepier.” [The Hill]

US – Going for Brokers: Potential Pitfalls in Proposed Data Broker Legislation

The FTC, in its recent report, recommended Congress consider legislation to improve transparency in the data brokers industry, a push made by Sens. John Rockefeller (D-WV) and Ed Markey (D-MA) when introducing their Data Broker Accountability and Transparency Act of 2014 (DATA Act). The Hogan Lovells privacy team writes for Privacy Tracker about the proposal, noting, “Through its rulemaking authority under the DATA Act, the FTC could clarify the scope of the law. However, the current version of the legislation offers little guidance to the commission about how to interpret the ambiguous provisions.” [Hogan Lovells]

US – NSA Court Win Couched in a Plea for Reform?

The U.S. District Court of Idaho has granted a motion to dismiss a case claiming Fourth Amendment violations related to the NSA’s mass surveillance of telephone data. In the decision, Judge B. Lynn Winmill outlines his reasons for siding with the NSA but also indicates a reluctance to do so. Emily Leach sums up the decision, noting Winmill recommends the U.S. Supreme Court look to Judge Richard Leon’s decision against the NSA as a template for its opinion. He also questions the veracity of the NSA’s claims that it doesn’t collect location data. Leach writes, “After five pages of explanation as to why he’s dismissing the case, Winmill acknowledges there’s ‘a subject lurking in the shadows here: The possibility that the NSA is tracking the location of calls using the trunk identifier data discussed above.’” [Privacy Tracker]

US – EFF Wins Drone Records Request, Now Seeks Attorney’s Fees

The Electronic Frontier Foundation (EFF) has gained access to 700 pages of documents related to Customs and Border Patrol (CBP) use of drones. The documents reveal the “department had arranged more than 500 flights for dozens of law-enforcement organizations and that more than a fifth of these flights helped Immigration and Customs Enforcement,” EFF stated. Because the EFF won access to these never-before-seen and frequently reported-on documents, it is asking for upwards of $83,000 in attorney fees, stating that it furthered “public understanding of CBP’s Predator drone program and Predator drone surveillance capabilities and has alerted the public to how CBP has been allocating tax dollars on drone flights.” [Courthouse News Service] See also: [Canada – Drone code of conduct developed for journalists]

US – NTIA Looking for Public Input on Data Collection

The National Telecommunications and Information Administration (NTIA) is seeking public comment as to whether the Obama Administration’s Privacy Bill of Rights should be “clarified or modified to accommodate the benefits of big data.” Last month’s big data reports indicated the possibility of discrimination and other concerns, and the NTIA would now like comments on whether “consumer privacy legislation (could) make a useful contribution to addressing this concern … Should big data analytics be accompanied by assessments of the potential discriminatory impacts on protected classes?” [MediaPost]

Privacy Enhancing Technologies (PETs)

WW – The Uphill Climb for Privacy Search Engine Start-ups

Search engines designed to protect user privacy are finding it difficult to get users to switch from Google and to generate profits without selling consumer data to advertisers. A representative from Ixquick, a search provider whose policies are endorsed by the European Commission, said, “Privacy has a price regarding user-friendliness … We know we could make more money by using targeted advertising.” According to a Mozilla poll, privacy is the biggest concern for Internet users, increasing business at companies such as DuckDuckGo , Qwant and Ixquick. Google’s share of global Internet searches is down from last year, but much of that is thought to be from the rise of search engines in China. Upstart search engines are now looking for alternative revenue streams such as privacy-enhancing technologies. [Bloomberg] [Start-up Elasticsearch Raises $70 million]

US – A Roadmap for the Next Generation of Privacy Pros

“The concept of a career roadmap is something with which we are extremely familiar,” write Chris Stevens and Steve Holland, who are both retired military intelligence professionals with a combined 60 years of service. “This is why we are proposing a career roadmap for privacy professionals.” Detailing with both prose and graphics what such a map might look like, they highlight the importance of education and certification, noting the career roadmap “will provide aspiring privacy professionals with a pathway to success and establish hierarchical relationships between certifications.” [Privacy Perspectives]

Security

US – FCC Chairman Urges Private Companies to Take Responsibility for Cyber Security

FCC chairman Tom Wheeler said private sector companies must do better than current efforts that have been pushed forward by established voluntary frameworks. Wheeler said, “the network ecosystem must step up to assume new responsibility and market accountability for managing cyber risks.” If there is not measurable improvement, Wheeler did not rule out the possibility of calling for government regulations. The FCC plans to check whether companies have implemented the framework recommendations, which were developed in 2011, and whether or not they have been effective. The FCC will also look into better ways to help companies share information about cyber threats. [ComputerWorld] [FedScoop] [Washington Post]

US – Virginia Eyes the Title of National Cybersecurity Leader

Virginia is gunning for the title of national leader in cybersecurity, and a new commission to meet for the first time today aims to help it achieve just that. Gov. Terry McAuliffe signed an executive order in February creating the Virginia Cyber Security Commission, which will “identify the state’s high-risk cybersecurity issues,” recommend methods to secure the state’s systems and data and suggest methods to promote awareness of cyber-hygiene, the report states. Virginia Secretary of Technology Karen Jackson and Good Harbor Security Risk Management CEO Richard Clarke will co-chair the commission. [StateTech]

WW – Cupid Code Exploits WiFi Networks; Hacker Gets Four Years in Prison

A new open-source code, made possible in part by the Heartbleed vulnerability, can exploit wireless networks by streamlining the process of stealing passwords, e-mail addresses and other sensitive data from routers and other connected devices. The malicious code can take two main forms. One commands a wireless network to deploy “evil networks” that can send malicious data to connected devices, while a second extension runs on client devices, the report states. The devices then send attack packets to hoard data from vulnerable routers. Meanwhile, a hacker received four years in federal prison for a string of hacks targeting computer networks around the U.S., including law enforcement organizations. [Ars Technica]

Smart Cards

US – State University Establishes Privacy Values, Principles in Official Framework

The University of California has become the first major higher education institution in the country to clearly define privacy for both individuals and the university as a whole, according to a newsletter from the university’s president. The school has established guiding principles and a framework on privacy which “outlines the values and operating principles needed to strike the delicate balance between protecting the personal autonomy of individuals at UC and safeguarding the data entrusted to the university by the people it serves—all while maintaining the institutional transparency required of a public agency,” the newsletter says. [Source]

Surveillance

US – ACLU Map Shows States Where Law Enforcement Has Stingray Technology

The American Civil Liberties Union (ACLU) has published a map showing which states’ law enforcement agencies have cell site simulators. The controversial technology often identified as Stingray, which is actually the trademarked name of a specific device made by a Florida-based company, is confirmed to be owned by law enforcement agencies in 15 US states. Use of the technology in other states has been neither confirmed nor denied. The Harris Corporation, which manufactures Stingray, has required law enforcement agencies that purchase the technology to sign non-disclosure agreements, which prohibit the agencies from even discussing whether or not the have/use the devices and certainly from explaining them. [ArsTechnica] See also: [US – Judge Says Stingray Transcript Should be Unsealed in its Entirety] and [US – US Marshals Seize Stingray Files Before ACLU Sees Them: WIRED |ArsTechnica | ACLU]

US – NSA Court Win Couched in a Plea for Reform?

The U.S. District Court of Idaho has granted a motion to dismiss a case claiming Fourth Amendment violations related to the NSA’s mass surveillance of telephone data. In the decision, Judge B. Lynn Winmill outlines his reasons for siding with the NSA but also indicates a reluctance to do so. Emily Leach sums up the decision, noting Winmill recommends the U.S. Supreme Court look to Judge Richard Leon’s decision against the NSA as a template for its opinion. He also questions the veracity of the NSA’s claims that it doesn’t collect location data. Leach writes, “After five pages of explanation as to why he’s dismissing the case, Winmill acknowledges there’s ‘a subject lurking in the shadows here: The possibility that the NSA is tracking the location of calls using the trunk identifier data discussed above.’” [Privacy Perspectives] [Full text of Judge B. Lynn Winmill decision here]

WW – Tech Giants Want Global Surveillance Reform

One year after the first Edward Snowden leak about NSA surveillance made its way into the public eye, nine of the world’s biggest technology companies have banded together to call on governments around the world to address surveillance. Additionally, they urge the U.S. Senate to not pass the NSA reform bill recently passed by the House of Representatives. In an open letter, the coalition also said it “believe(s) that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” Included in the letter are five principles: limiting government authority to access user data; increased oversight and accountability; transparency about government data requests; avoiding data localization laws, and avoiding conflicts among governments. Today, organizations and activists are observing “Reset the Net“ to urge surveillance reform. [Full Story]

Telecom / TV

WW – Vodafone Reveals Gov’ts Have Direct Access to All Phone Conversations

One of the world’s biggest mobile phone organizations, Vodafone, has revealed the existence of “secret wires that allow government agencies to listen to all conversations on its networks, saying they are widely used in some of the 29 countries in which it operates in Europe and beyond.” The revelation comes as Vodafone also released its first-ever Law Enforcement Disclosure Report . Vodafone said governments have directly connected wires to its network to not only listen to conversations but also to track user location. Vodafone Chief Privacy Officer Stephen Deadman said, “We are making the call to end direct access as a means of government agencies obtaining people’s communication data,” adding, “Vodafone is calling for all direct-access pipes to be disconnected, and for the laws that make them legal to be amended.” [The Guardian] [WIRED] [BBC] [NBCNews] and [Vodafone Privacy Disclosures Seen Spurring Rivals to Follow]

WW – Apple iOS8 Feature Stops WiFi Tracking

A new feature in Apple’s upcoming operating system will prevent retail stores from tracking iPhones. Devices using iOS 8 will automatically randomize the MAC address that connects to a WiFi network. Security researcher Frederic Jacobs, the individual credited with finding the feature, wrote that he hopes the practice “becomes an industry standard.” However, Gizmodo reports that though the MAC address randomization will disguise users from mobile marketers, “iBeacon may be waiting in the wings.” Sen. Al Franken (D-MN) recently reintroduced a geolocation privacy bill and held a hearing on the issue last week. [The Verge] see also: [“Stalker App” Hearing Turns Into Debate on Self-Regulation]

US Government Programs

US – Parents Become a Political Force Against Mining Kids’ Data

Parents have catapulted student privacy to a frontline agenda item in statehouses across the country, catching big data advocates off guard. After taking down inBloom, parents are now targeting the development of state-run databases, promoted by the Obama administration, which store details on kids from infancy to the start of their careers. According to the report, the U.S. Department of Education recommends states get answers to hundreds of questions on kids, such as, “Did she make friends easily as a toddler? Was he disciplined for fighting as a teen?” Ed tech developers and school reformers were surprised by the outcry from parents, with one education think tank representative noting, “People took for granted that parents would understand (the benefits), that it was self-evident.” [Politico]

US – New Federal Database Will Track Americans’ Credit Ratings, Other Financial Information

As many as 227 million Americans may be compelled to disclose intimate details of their families and financial lives – including their Social Security numbers — in a new national database being assembled by two federal agencies. The Federal Housing Finance Agency and the Consumer Financial Protection Bureau posted an April 16 Federal Register notice of an expansion of their joint National Mortgage Database Program to include personally identifiable information that reveals actual users, a reversal of previously stated policy. FHFA will manage the database and share it with CFPB. A CFPB internal planning document for 2013-17 describes the bureau as monitoring 95 percent of all mortgage transactions. FHFA officials claim the database is essential to conducting a monthly mortgage survey required by the Housing and Economic Recovery Act of 2008 and to help it prepare an annual report for Congress. Critics, however, question the need for such a “vast database” for simple reporting purposes. [The Washington Examiner]

US – Berkman Center Releases Pragmatic Recommendations for Adopting the Cloud

A paper out of the Berkman Center for Internet and Society’s ongoing Student Privacy Initiative says while there’s no hard-and-fast rule on how to enable the use of cloud-based educational technologies while protecting student privacy, there are “pragmatic recommendations” to be followed. The paper’s authors suggest employing “centralization of cloud-based ed tech decision-making at the district level” in order to facilitate the appropriate level of oversight without forbidding experimentation; examining user-friendly labeling of cloud-based products to “increase transparency and encourage compliance with parental consent,” as well as adopting FIPPs. Meanwhile, advocates say a video series about special ed students filmed in a public school violated laws on children’s privacy. [Berkman]

US Legislation

US – Odds Are Against Hacking Legislation Passing

While retailers have reported multiple major hacks in recent months, legislators have not moved forward on anti-hacking legislation. “Despite an initial flurry of activity on Capitol Hill,” the report states, “none of the multiple bills … have moved out of committee,” suggesting, “the odds are increasing that Congress will fail to pass a bill this year.” Senate Commerce Committee Chairman Jay Rockefeller (D-WV) explained that having numerous committees—including Senate Judiciary, Senate Banking, Homeland Security and Judiciary—with jurisdiction complicates matters, the report states. Alison Hawkins of the Financial Services Roundtable said, “We are just hoping to get this done before there is another attack.” [The Hill]

US – Feinstein Holds Hearing to Examine House NSA Bill

Sen. Dianne Feinstein (D-CA), a supporter of NSA surveillance programs, held a hearing last week to examine the possible outcomes of the House-passed NSA reform bill. NSA Deputy Director Richard Ledgett said the current law requiring phone companies to retain billing records for 18 months is sufficient for the agency, but noted that he can’t say confidently that companies will retain call data for that period of time. “They’ll retain the records for as long as their business requirements dictate they retain their records,” he said. When asked about a minimum requirement for retaining calling records, Verizon Vice President Michael Woods said, “We would be very much opposed to it.” [NPR]

US – Sen. Menendez Introduces Commercial Privacy Bill of Rights

Sen. Robert Menendez (D-NJ) has introduced the Commercial Privacy Bill of Rights Act of 2014, which would establish “a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the FTC; to amend the Children’s Online Privacy Protection Act of 1998 to improve provisions relating to collection, use and disclosure of personal information of children, and for other purposes.” The bill has been referred to the Committee on Commerce, Science and Transportation.

US – California ZIP Code Law Exempts Machine Collection

A provision in California’s law prohibiting retailers to collect personally identifying information from credit card users exempts Redbox machines from the law, allowing them to collect ZIP codes from customers. The law exempts sellers that require PII to be used in conjunction with a credit card to collect money “in the event of default, loss, damage or other similar occurrence.” Redbox charges $1 for a daylong rental and then adds charges for each additional day. Because of this structure, the Ninth U.S. Circuit Court of Appeals in San Francisco has ruled the company is using the credit card as a deposit to secure payment, making it exempt from the law. [SFGate]

US – Colorado Law Aims to Strengthen Patient Privacy

A new law in Colorado prohibits the Department of Revenue from “accessing or distributing an individual’s personal medical record without their permission and creates a ‘Government Access to Personal Medical Information’ task force.” Gov. John Hickenlooper signed the bill on May 31, and it went into effect immediately. The panel will, over the summer, look into “why and to what extent state and local government departments or agencies have access to, and the ability to use or distribute, an individual’s personal medical information or medical record with and without the individual’s consent.” [Modern Healthcare]

US – NY Magistrate Judge Allows “Tower Dump,” Asks for Privacy Protections

Magistrate Judge James Francis issued an order on the lawfulness of warrantless “tower dumps,” which refers to the government practice of collecting “every cell phone that is connected with one or more cell towers over a specified period of time.” The ACLU and the NYACLU were asked by the court to submit a brief in the circumstance of one tower dump request in particular. The ACLU argued the Stored Communications Act doesn’t permit such broad requests and the practice also violates the Fourth Amendment. The court rejected this argument, noting that individuals give up the privacy of their cellphone location by signing up for the service, but asked the government to resubmit its request including “more specific justification for the time period for which the records will be gathered” and its protocol for handling “the private information of innocent third parties whose data is retrieved.” [ACLU]

US – Industry Group Backs Ohio Social Media Privacy Bill

The Financial Services Institute (FSI) has backed Ohio’s HB 424, which would ban employers and educational institutions from punishing individuals for “failing or refusing to grant access to, allow observation of, or provide access information to an individual’s personal Internet-based account.” FSI in particular pointed to a section of the bill that allows financial institutions to meet their compliance duties in candidate screening. [Akron Legal News]

US – Cybersecurity Would Get Big Money in Senate Appropriations Bill

The 2015 Senate appropriations bill has underscored cybersecurity as a focus for the Commerce Department, Justice Department and science agencies. The FBI maintains a 24-hour cyber-incident response taskforce and an agent training program; the Justice Department is set to add nine lawyers to prosecute cybercrime cases, and the National Science Foundation would receive $159 million to hand out in cybersecurity research grants. The bill also includes $45 million in scholarships to train cybersecurity professionals who agree to work in the federal government, and the Commerce Department stands to get $15 million to create a NIST National Cybersecurity Center of Excellence. The Senate also approved $16.5 million to fund a NIST identity management research project. Meanwhile, the Direct Marketing Association is voicing its disappointment with the reduction of money allocated to the census in the House appropriations bill, while noting the Senate bill left the amount untouched. [FCW]

US – Court Decision Helps Define Medical Information in California

The California Court of Appeal has ruled that a healthcare provider did not breach the state’s Confidentiality of Medical Information Act when it revealed patients’ personally identifying information. The decision added clarity to the definition of medical information under the act, as the provider lost a computer containing names, medical record numbers, ages, dates of birth and last four digits of patients’ Social Security numbers but nothing related to “medical history, mental or physical condition or treatment.” [Workplace Privacy Data Management & Security Report]

US – Florida Bill Would Require Guidelines for License-Plate Scanner Data

A bill in front of Florida’s governor includes a provision to create guidelines on the retention of license-plate scanner data. “Specifically, the bill calls for a statewide policy to set the length of time that the records of innocent people could be kept.” [Landline Magazine]

US – Indiana Privacy Laws Go Into Effect July 1

House Bills 1009 and 1384 will go into effect on July 1, meaning police will have new restrictions on collecting information. Under HB 1384, police must get a search warrant to use drones or place a tracking device or camera in an individual’s car or on their property, and under HB 1009, police must have probable cause or consent to search a phone. Rep. Mike Speedy (R-Indianapolis) said, “As technology advances … there is a shift of power into law enforcement or into government away from our own privacy and our own ability to own and control our private information,” adding these bill help to modernize the laws. [The Statehouse File]

Workplace Privacy

US – National Labor Relations Board Eyeing Social Media Policies

Even while states continue to pass legislation regulating how employers can monitor and access their employees’ social media profiles, the National Labor Relations Board (NLRB) is also monitoring companies’ social media policies—and finding some of them lacking. The NLRB has issued three memos regarding social media policies and “employers may find some of the conclusions in these memos disturbing.” [GovernmentHealthIT]

CA – Feds Still Improperly Collecting Background Info on Access-to-Info Requesters

The federal government continues to collect background information on individuals who file access-to-information requests, more than seven months after officials agreed to stop the practice. An online service launched last year requires all requesters applying for documents under the Access to Information Act first to indicate whether they’re members of the media, business, academia or other categories. The service, which to date has processed almost 30,000 electronic access-to-information requests, does not allow a requester to decline to identify her or his background — and failure to select a category halts the process in its tracks. Last fall, Canada’s information watchdog secured a commitment from the Treasury Board, which is responsible for running the online service, to provide a “decline-to-identify” option. The access law does not authorize the collection of background information from individual requesters, and a government-wide directive from 2010 requires institutions to process requests without regard to the identity of the person seeking records. Treasury Board told the information commissioner last November the fix would likely be in place by March 31 this year, but the measure still has not been implemented even as other aspects of the online site have been regularly improved, based on user feedback. [The Canadian Press]

+++

16-31 August 2014

Big Data

US – Researchers Release Paper on Big Data Pitfalls

Princeton University’s Solon Barocas and lawyer Andrew Selbst have published their paper on “Big Data’s Disparate Impact.” While big data has its benefits, they argue, data mining as a decision-maker “has the potential to reproduce existing patterns of discrimination, inherit the prejudice of prior decision-makers or simply reflect the widespread biases that persist in society,” adding that antidiscrimination doctrines currently on the books aren’t equipped to handle the concerns arising from big data’s pitfalls. [SSRN]

Canada

CA – OPC Annual Report: Online Transparency is “Significant Concern”

In the Office of the Privacy Commissioner’s (OPC) 2013 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), online transparency is cited as “a significant concern.” The OPC accepted 426 PIPEDA complaints in 2013, almost double from the year before (although 183 pertain to one complaint against Bell Canada). “It is becoming increasingly apparent that the protection of privacy demands a partnership between individuals and the corporations with which they interact,” said Privacy Commissioner Daniel Therrien. “Like any successful partnership, this must be based on trust and therefore openness. Now that personal data has become such a precious coin of commerce, the rules governing its collection, use and disclosure must be crystal clear, well-understood and actively accepted.” The OPC dedicated the report to former Privacy Commissioner Jennifer Stoddart. [CBC News] [Canada: Privacy complaints doubled in 2013] See also: Mondaq reports on opportunities for public input on British Columbia’s Personal Information Protection Act (PIPA), including public hearings on September 8 and 9, and written submissions will be accepted until September 19th.

CA – Retired Judge Recommends Spy Agency Increase Protections

Communications Security Establishment Canada (CSEC) Commissioner Jean-Pierre Plouffe, a retired judge, says CSEC should do more to protect Canadians’ privacy. Plouffe said if CSEC intercepts emails made to a person in Canada, such emails should either be marked for deletion or as essential to national security. If deemed essential, they should be reevaluated every quarter to verify whether they are still required. Plouffe recommended the government issue a directive to CSEC on information-sharing with its partners, spelling out how Canadians should be protected, and “CSEC itself should ‘promulgate guidance to formalize and strengthen practices for addressing potential privacy concerns’ involving the Five Eye partners,” the report states. [Reuters]

US – The Supreme Court Decision on IP Addresses and Its Implications

Canada’s Supreme Court unanimously concluded individuals “may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol addresses.” The court determined Internet service providers’ (ISPs’) terms of service and the Personal Information Protection and Electronic Documents Act (PIPEDA) “did not affect the analysis in the way previous courts had suggested,” writes Timothy Banks of Dentons Canada in this Privacy Tracker post. “The court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.” This decision sets the stage for consideration of other data and has implications for any organization that receives police requests for information. [Source]

CA – Number 25: Dr. Ann Cavoukian – Canadian Power 50

Ann Cavoukian, Executive Director, Ryerson University, Institute for Privacy and Big Data: While few outside the world of privacy regulation know her name, the former Ontario Information and Privacy Commissioner is Canada’s most powerful broker in convincing corporations and government agencies to treat people’s private data with care. “She was more a force of nature than a regulator,” says Jules Polonetsky, of the Future of Privacy Forum, a think tank in Washington, D.C. “She’s used every policy tool, and then some, to advance the Privacy by Design agenda.” Cavoukian’s model encourages corporations, governments and other organizations to embed privacy alongside normal business practices. She counts GE, McAfee and Intel among .her enthusiastic supporters. Cavoukian’s strategy has been to work with companies and organizations to help them achieve their goals, while still ensuring they uphold strict privacy standards. ‘‘If you approach privacy in this way, you will always get a seat at the table,” Cavoukian says. “Otherwise you don’t get heard.” [Canadian Business Magazine]

Consumer

US – Fitbit Responds to Senator’s Public Call for Transparency, Legislation

Despite concerns raised by Sen. Charles Schumer (D-NY), Fitbit says it does not sell personal data to advertisers. Schumer warned of a potential “privacy nightmare” regarding concerns the company sold users’ data to advertisers and called for federal regulations to require it and similar companies to allow customers to prevent their data from being sold. But the company responded by spelling out its privacy policy on its website. Meanwhile, Neustar’s privacy officer Becky Burr tries to alleviate customer concerns over worries about data-aggregating companies like hers in a sponsored post on Business Insider. [Associated Press]

WW – Survey: 80% Want Limits on Third-Party Data-Sharing

GFK has released its Survey on Data Privacy and Trust, in which it interviewed 1,000 Americans in an effort to understand the way they perceive and manage their personal data and how this differs by generation. The survey found 59% say their level of concern for their data has risen in the past 12 months, and two-thirds of respondents from older generations say the government isn’t doing enough to protect their data. “Overall, almost 80 percent of respondents feel that there should be more regulations, preventing organizations from repurposing personal data to third parties,” the report states. [Source]

US – BBB: Cross-Device Tracking Requires Notification, Opt-Outs

The Better Business Bureau (BBB) has warned that, based on its Accountability Program, companies engaging in cross-device tracking—including cookies, fingerprinting and other technology—must provide users with notification and opt-outs. The BBB’s Genie Barton said if companies are “tracking online and they’re going to use the information cross-screen, they need to tell consumers that and make clear that consumers can opt out.” [MediaPost]

E-Government

UK – Ban Junk Mail Companies from Accessing Electoral Roll, Councils Say

Junk mail companies should be barred from being able to buy access to the personal data of millions of people including their names and addresses, council leaders have said. Under present rules marketing companies can buy the details of 1,000 people from the electoral roll for £21.50 and use it to send out junk mail promoting products and services. The data is held on the public version of the electoral roll, meaning any person or company can buy the information. While people can choose not to be listed publicly on the register, very few are aware that they can do so. Councils fear that concerns about junk mail could be deterring people from signing up to vote and are calling for the public register to be scrapped. More than 11 billion items of junk mail are produced each year in the UK with each household getting at least 400. The industry is worth about £250 million. [The Telegraph]

US – Vote! You Just Might Win $50,000

To get people more involved–and prevent further embarrassment–the city is now considering a pilot program that would use lottery-type cash prizes as enticement to get locals to participate in elections. The Los Angeles Times reported that on Thursday night, the Los Angeles Ethics Commission voted unanimously to recommend that the city council begin offering cash prizes to voters randomly as soon as next year. “Maybe it’s $25,000 maybe it’s $50,000,” said [Ethics] Commission President Nathan Hochman. “That’s where the pilot program comes in–to figure out what … number and amount of prizes would actually get people to the voting box.” … “Wouldn’t we get a lot of people who know nothing about politics or the candidates jumping in and voting and just checking the box so they could get a million bucks?” the radio host asked Guerra. “Absolutely,” Guerra responded. But, he added, that might not be bad thing. “That might produce better results. There is no data to show that uninformed voters make worse decisions than informed voters.” (TIME)

NZ – Public Servants See Inappropriate Access of Personal Data

A survey has found that one in every 20 public servants has seen a colleague inappropriately accessing or misusing a client’s personal information in the past year. The finding doesn’t surprise Accident Compensation Corporation client Bronwyn Pullar, who was sent files about almost 7000 other ACC clients in one of New Zealand’s worst privacy breaches in 2012. “I don’t think New Zealanders appreciate the extent to which there is inappropriate and unauthorised use of information,” she said. “It does raise serious concerns about the degree of access Government employees have over people’s private information, particularly sensitive health information.” The survey found that the highest proportion of public servants who saw improper access or misuse of personal files – 7% – was in the district health boards (DHBs). The numbers were 4% in core government departments, 3% in non-DHB Crown agencies such as ACC, and 2% in other Crown entities such as TVNZ. [nzherald.co.nz]

E-Mail

EU – Judge Says Microsoft Must Turn Over eMails Stored on Server in Ireland

A US District Judge in New York has ordered Microsoft to turn over email records stored on a company server in Ireland to US authorities. US District Judge Loretta Preska wrote that “it is a question of control, not a question of the location of that information.” Privacy laws in Europe are stronger than those in the US. [ArsTechnica] [ZDNet]

WW – Facebook Reports Enormous Uptick in Use of Snoop-Proof Email

The social network sends billions of emails to users daily and says adoption of the encryption standard it uses has skyrocketed among webmail providers. The percentage of emails sent from Facebook that are received by webmail providers which support encryption has jumped from less than 30% in May to 95% by mid-July, according to a Facebook blog post. [Source]

Electronic Records

US – National Database Could Streamline Care, But Concerns Persist

There are concerns about state health information exchanges that could one day connect, compiling patient data in a vast national database. It’s already likely becoming a reality as states create health information exchanges that will allow professionals nationwide to access records. While advocates say a centralized storage center makes sense from a patient-care perspective, streamlining access to information and reducing redundancies as well as costs, critics worry about where the data will be stored, who will have access and how it will be used. [InformationWeek]

Encryption

US – NIST Report Urges Tighter Implementation of SSH

According to a report from the National Institute of Standards and Technology (NIST), US companies are not implementing Secure Shell (SSH) appropriately or well. SSH is often used to allow automated communications between hosts. The report says, “The security of SSH-based automated access has been largely ignored.” NIST is accepting comments on the document through September 26, 2014. [The Register] [NIST] [Reading Encryption Keys from Surface Electric Potential Measurement] [Mobile Applications use bad SSL Implementations]

WW – Will Tokenization Be the Way Forward for Data Transfers?

The possibility of foreign government access to personal information has been a hurdle to international data transfers, even between countries with strong ties such as Canada and the U.S. Timothy Banks writes about a report from BC Information and Privacy Commissioner Elizabeth Denham indicating there may be hope for Canada-U.S. data transfer in the form of “tokenization,” a system of de-identifying data using random tokens as stand-ins for meaningful data. While questions remain, Banks writes, “Denham’s openness to considering this method of de-identification illustrates a practical commitment on the part of Canada’s data protection authorities to revisiting the issue of de-identification, which could have broader implications for data processing and data use.” [Privacy Tracker] Timothy Banks writes for Privacy Tracker about a report from BC Information and Privacy Commissioner Elizabeth Denham that indicated there may be hope for Canada-U.S. data transfer in the form of “tokenization,” a system of de-identifying data using random tokens as stand-ins for meaningful data.

EU Developments

EU – Court Rules Facebook Must Respond to Schrems Suit

A class-action lawsuit against Facebook will move forward after an Austrian court said the company must respond to the 25,000 individuals who joined in the complaint alleging the company violated its users’ privacy. Earlier this month, privacy activist and lawyer Max Schrems filed the lawsuit against the social network. The suit alleges Facebook’s data use policy violates EU law, including reusing data without an individual’s consent and unauthorized sharing of user data with third parties. Europe-v-Facebook, the group led by Schrems, is demanding 500 euros per individual in the suit. The Vienna Regional Court ruled Facebook has four weeks to address the complaints but said it can file for a four-week extension. [ZDNet] [Austrian court orders Facebook to respond to privacy suit claims] SEE ALSO: Newly appointed EU Justice Commissioner Martine Reicherts pushed for clearing up the right-to-be-forgotten debate and adopting strong data protection reform soon, according to a Europa press release.

France’s data protection authority, the CNIL, will begin conducting cookie audit on websites in October, and for the first time ever, will be able to do so remotely.

EU – Telegraph Keeping List of Stories Taken Down Under RTBF

Thus far, 250,000 takedown requests have been made under the Court of Justice of the European Union (CJEU) “right to be forgotten” ruling in May requiring Google to remove links to any content that is “inadequate, irrelevant or no longer relevant” or else face a fine. Though the content is not deleted, Google will not list it in its search results. Users searching for a particular topic on google.co.uk will see a message indicating the information has been removed under data protection laws, while those using the U.S. site google.com will be unaffected, even if they live in the UK. The Telegraph has begun a running list of the paper’s content that has been removed from search results. [Source]

UK – Direct Marketing Association Code of Practice – Direct Marketing Association

The new Code of Practice focuses on 5 principles – put the customer first (understand the customer’s needs and offer relevant products and services), respect privacy (act in accordance with customer expectations), be honest and fair (act in a transparent manner, and do not use high-pressure sales tactics), be diligent with data (treat personal data with care and respect, in accordance with data privacy principles), and take responsibility (members are responsible for the actions of their agents and must have records to demonstrate compliance with the Code). [Source]

Facts & Stats

US – Companies Say Users Consented to Uploading of Contacts

Twitter, Yelp, Foodspotting and other app developers are asking a federal judge to dismiss a lawsuit accusing them of violating iPhone users’ privacy by uploading their address books. In court papers, Twitter argues that the users who are now suing previously consented to share information about their contacts by opting in to the service’s “find your friends” feature, the report states. Twitter says the users have no grounds to sue for storing the data. Yelp and Foodspotting have responded to the suit with similar arguments. [MediaPost] See also: [How to Read (and Actually Understand) a Wearable Tech Privacy Policy]

WW – Extending Passwords Best Defence Against Password-Cracking Tools

Longer passwords are harder to decode than those which are shorter but more complex in nature, according to a new study. A technology expert has said that the news has implications for companies’ password policies and for the risks involved in storing encrypted versions of the passwords. “Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” Trustwave said. “The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.” Trustwave explained the findings as it outlined the result of a study it conducted into password security. The company built two machines to decipher 626,718 ‘hashed’ passwords and said it managed to work out more than half of those encrypted passwords within a few minutes. It “eventually cracked 576,533 or almost 92% of the sample within a period of 31 days”, it said. [Source] See also: [The password of the future may be your heartbeat — no, really]

Filtering

US – University Bans Social Media, Political Content and Wikipedia Pages on Dorm Wifi

Northern Illinois University enacted an Acceptable Use Policy that goes further than banning torrents, also denying students access to social media sites and other content the university considers “unethical” or “obscene.” A discussion on the ban was brought to Reddit by user darkf who discovered the new policy while trying to access the Wikipedia page for the Westboro Baptist Church from his personal computer in his dorm room. The student received a filter message categorizing the page as “illegal or unethical.” It seems possible to continue to the webpage, but the message warns that all violations will be reviewed. (BetaBeat)

WW – People are More Likely to Self-Censor If Others Online Disagree WithThem

In the age of social media, it may seem like everyone has an opinion to share on the latest news of the day. But a new study released by the Pew Internet and American Life Project has revealed that, in fact, there may fewer opinions on your feeds than you think. Last summer, researchers from Rutgers University and Pew asked 1,800 American adults how likely they were to speak out, online and in person, about the news that former NSA contractor Edward Snowden leaked information regarding domestic surveillance to media outlets. They found that while 86% of Americans would be willing to have a conversation about the issue in person, just 42% of Facebook and Twitter users were willing to post about it on those platforms. The study also found that peer pressure on these sites is alive and well. If people thought their opinions would be well received, they were more likely to post about the topic. But even the thought that some of their followers and friends might disagree led many to self-censor. And the more information people had about the diversity of opinions on their social networks, the less likely they were to speak up, the study found. That unwillingness to speak up also transferred to the real world. [The Washington Post]

WW – Thermal Imaging to Become Smartphone Add-On

Smartphones are getting a new way of seeing: thermal imaging. A group of industry veterans plan to begin selling an add-on camera for smartphones for about $100 or less that will allow for generated color thermal images that can be contrasted with traditional images using a split-screen feature. It may be used for finding lost pets, playing hide-and-seek or spotting intruders, for example. “It’s very hard to hide from a thermal imager,” one expert said. “You can’t get behind a bush—you will show up.” [The Wall Street Journal]

FOI

US – MIT Researchers Create “HTTP with Accountability”

Researchers at the Massachusetts Institute of Technology (MIT) Decentralized Information Group are creating a new tool to stymie the “inadvertent misuse” of sensitive data by unauthorized users. Dubbed “HTTP with Accountability,” or HTTPA, the tool would automatically scan the transmission of private data, allowing the data owner to analyze how it’s being used. Under the guidance of web founder Tim Berners-Lee, MIT graduate student Oshani Seneviratne and CSAIL Research Scientist Lalana Kagal will share their insights on HTTPA at the IEEE’s Conference on Privacy, Security and Trust this July. “It’s not that difficult to transform an existing website into an HTTPA-aware website,” Seneviratne says. “On every HTTP request, the server should say, ‘OK, here are the usage restrictions for this resource’ and log the transaction in the network of special-purpose servers.” [ZDNet] See also: [Canada: SaskTel has under-reported how often the company gives customers’ information to government agencies and police] and [SK: Names of disciplined teachers should be withheld, privacy commissioner says]

Genetics

US – NIH’s Genome Project Data-Sharing Policy Suggests Seeking Broad Consent

The National Institutes of Health (NIH) has released a data-sharing policy promoting the sharing of “large-scale human and nonhuman genomic data generated from NIH-funded research.” The goal is to “speed the transition of data into knowledge, products and procedures that improve health while protecting the privacy of research participants.” The NIH is encouraging those using genomic data to seek “the broadest possible sharing permissions” from participants for the future use of their data, the report states. [HealthData Management] [US: NIH Releases Final Genomic Data Sharing Policy] See also: Advocates in Minnesota are pushing to reinstate a DNA collection law deemed unconstitutional by an appellate judge now that the U.S. Supreme Court has okayed the practice.

Google

WW – Google to Offer Kids Under 13 Online Accounts

Google plans to offer accounts to children under the age of 13 for the first time. Sites typically avoid offering services to children under that age because of the U.S. Children’s Online Privacy Protection Act, which requires parental consent and tightly controls how data may be used. But Google’s new system would allow parents to set up accounts for their kids and control how they use Google services and what information about their children can be collected. [The Wall Street Journal] See also: [Meanwhile, Junkee’s Elizabeth Flux reports on a Google Maps website that reveals, when a user’s location services are on, where the phone has been for up to a month. For the website to work, a user must log in with the same account used on a smartphone and have location services turned on.]

WW – Google Goes Public With Security Audits to Ease Corporate Concerns

Google is taking unprecedented steps to show its cloud, business, and education customers that data protection is its top priority. To prove its commitment, Google is making the details of an independent security audit and of a security compliance certificate available to the public for the first time on its Google Enterprise security site. The SOC 3 Type II audit report and updated ISO 27001 certificate denote security approval for Google Apps for Business, Google Apps for Education, and Google Cloud Platform. Security and data centers are both big business. Google currently employs more than 450 full-time security engineers, and a Gartner study projects that companies will spend nearly 8 percent more on security this year than they did last year. The SOC 3 report and the ISO certificate that Google made public are widely accepted, internationally recognized security compliance standards. The SOC 3 is essentially a shorter report from the same audit as the longer SOC 2, while the ISO certification covers organizational and logical security. [CNET]

AU – Google’s Knowledge Vault Already Contains 1.6 Billion Facts

Google has decided to create the largest store of knowledge in human history and it is going to create it without using human brainpower. Google’s Knowledge Vault is a massive database of facts, built up by an algorithm that autonomously trawls the web and transforms data into useable, bite-sized pieces of information. The predecessor of Knowlege Vault, known as Knowledge Graph, used crowdsourcing techniques but Google realised that humans could only take the project so far; computers could drastically speed up the process. To date the Knowledge Vault contains over 1.6 billion facts. This huge fact reservoir will be the basis of future search engines. Google is currently racing Microsoft, Facebook, Amazon and IBM, who are all attempting to build the same kind of database. The Knowledge Vault will be the foundation for smartphone and robot intelligence. Siri is going to get a lot better at interpreting what you mean when you ask her questions in the future. In the future, virtual assistants will be able to use the database to make decisions about what does and does not matter to us. Our computers will get better at finding the information we are looking for and anticipating our needs. Once the Knowledge Vault can interpret objects on sight, it will become integral to real-time information generation. One day you might be able to walk around, point your phone at an object, ask a question about it and recieve an intelligent response. At the Conference on Knowledge Discovery and Data Mining in New York on 25 August Kevin Murphy and his team will present a paper on the Knowledge Vault. [Science Alert]

Health / Medical

US – Why Psychologists Need Social Media Best Practices

Steven Petrow discusses his concerns with mental health professionals sharing too much about themselves online, particularly on social media sites like Facebook. The issue started when Petrow saw much of his analyst’s personal information because of the privacy settings on the doctor’s personal Facebook account. “At that point, I started wondering,” Petrow wrote, “Are there no social media best practices for mental health professionals?” As of now, there are not, but, he reports, the American Psychological Association (APA) has published “The Internet’s Ethical Challenges,” in which APA Director Stephen Behnke writes, “psychologists have special ethical issues they need to think through to determine how this technology is going to affect their work.” [The Washington Post]

Horror Stories

US – 200 Hospitals Hit Affecting 4.5 Million Patients

Tennessee-based Community Health Systems (CHS) says that intruders accessed its system over a three-month period earlier this year, compromising patient names, addresses, and Social Security numbers

(SSNs) of 4.5 million people. The company maintains that medical and financial information was not affected. CHS operates more than 200 hospitals in 29 US states. The company claims that the attacks emanated from China. Information in CHS’s Securities and Exchange Commission (SEC) Form 8-K filing says that the intruders were attempting to obtain medical equipment device development information, but were thwarted in their efforts. [DarkReading] [BBC] [NYTimes] [ComputerWorld] [The Register] [CHS SEC Filing]

WW – Breach Roundup

South Korea – 70% of South Korea’s population between the ages of 15 and 65—and more than half of South Korea’s total population—may have had their personal information stolen in a data breach involving 27 million people and 220 million records. Sixteen hackers were arrested on Thursday for allegedly circulating the records and conducting money laundering schemes which earned them at least $390,000. The hackers targeted registration pages for online gaming and gambling sites and online ring tone and movie ticket stores.

UPS – UPS announced that 51 UPS locations have been affected by a malware breach. UPS was quick to do the math to assure customers that the breach only impacts about 1% of their 4,470 franchised stores. The Wall Street Journal reports that the breach affected approximately 105,000 customer transactions. The malware may have been in the stores as early as January 20, 2014, but UPS believes the breach began after March 26, 2014. The malware was eliminated by August 11, 2014, so UPS says it’s safe to use your card in UPS Stores now. A full list of affected stores is available on the UPS website. [CNET] [Ars Technica] [NBC News] [SC Magazine]

PlayStation Network – A group named Lizard Squad says it was responsible for a DDoS (distributed denial of service) attack that took down PlayStation Network on Sunday. Sony announced that the network was back online and no personal information had been stolen. Lizard Squad’s attack escalated beyond simply shutting down the PlayStation Network when the group tweeted that there were explosives on board an American Airlines flight carrying Sony Online Entertainment President John Smedley. The FBI is now investigating the bomb threat, and Lizard Squad says it is moving on to target Xbox Live.

JPMorgan ChaseAccording to security firm Proofpoint, JPMorgan Chase customers are under attack in a phishing scheme called a “Smash and Grab Campaign.” Approximately 500,000 phishing emails have been sent out so far, with 150,000 emails in the first wave. Here’s how it works: after clicking a link in a phishing email designed to look like it’s from JPMorgan Chase, a customer is taken to a login webpage that automatically installs Dyre banking Trojan on the user’s computer, whether or not the customer decides to enter login information. Proofpoint says the attackers are not worried about stealth, and are instead focusing on sending out a high volume of emails in hopes that some percentage of recipients will click on the links. Reuters reports that the attack is consistent attacks by Eastern European cyber gangs.

Backoff – According to a Secret Service announcement on Friday, more than 1,000 U.S. businesses have been compromised by a Point of Sale (PoS) malware dubbed “Backoff.” Seven PoS system providers and vendors have confirmed that some of their clients were affected by the malware. No breaches have been directly connected to Backoff, although there is speculation that the malware is tied to recent breaches such as Target, Supervalu, and UPS. The existence of Backoff was first announced on July 31, 2014, by the National Cybersecurity and Communications Integration Center and U.S. Secret Service.

Onsite Health Diagnostics – Third time is not the charm for Onsite Health Diagnostics. Children’s Mercy Hospital in Kansas City is notifying 4,076 individuals that they were victims of a data breach that occurred two years ago when the hospital registered for a wellness program, according to the Kansas City Star. The compromised information was originally collected in 2012 and stored by Onsite Health Diagnostics. When Onsite discovered the breach, it deleted the old data that had been on its servers ever since 2012. This is the third reported breach involving Onsite this year.

USIS – Two weeks ago, I wrote about a potential breach to U.S. Investigative Services (USIS). At that time, the scope of the breach was not known, but it now looks like up to 25,000 government workers may have been affected by the breach in the Department of Homeland Security, U.S. Immigration and Customs Enforcement, and U.S. Customs and Border Protection units, according to sources in the investigation. USIS has begun emailing those affected by the breach, informing them that their Social Security numbers, birth dates, education and criminal history, and names and addresses of relatives and friends, may have been accessed, according to Reuters.

US – LinkedIn, Capital One Settlements Total Nearly $77 Million

LinkedIn has agreed to pay $1.25 million to settle a class-action lawsuit stemming from a 2012 data breach. The settlement requires LinkedIn to pay up to $50 to some of the users who purchased premium memberships, and the company promises to protect users’ passwords by “salting” and “hashing” them for the next five years, the report states. One lawyer called the settlement “extraordinary” because it provides “significant direct cash to the class and valuable prospective relief.” Meanwhile, users who sued Facebook for privacy violations are asking a California judge to consider U.S. District Judge Lucy Koh’s recent refusal to toss similar claims brought against Yahoo, and Capital One Financial Corp. and three collection agencies have agreed to pay one of the largest settlement amounts in history—$75.5 million—to end a privacy class-action. [MediaPost]

Identity Issues

EU – CNIL on Traffic Measurement, Analysis of Consumer Behavior in Stores

Companies that implement devices which record consumer behavior (through a billboard camera or a mobile phones) are obliged to take steps that ensure the anonymity of data subjects; for billboard cameras ensure that the images are not stored, transmitted or are visible to device providers. Prior to setting up these devices, authorization is required from the CNIL for any system that automatically measures the audience of an advertising device or analyzes the typology or the behavior of people around an advertisement. [CNIL]

EU – Netherlands: DPA Issues Second Opinion on the Benefits of eID

The DPA has issued a second opinion (source document in Dutch) on a report on the public benefits of a new electronic ID system (“eID”). This system is being developed by the Dutch government together with the private sector as an online identification and authentication system that may be used for the exchange of personal data in the context of the online provision of services. The DPA questions whether the eID system will in practice increase security overall compared to the current DigiD-system and is concerned that due to a higher level of security, more confidential information will be shared, which in turn introduces new security issues. [Mondaq News]

Internet / WWW

WW – Ralph Lauren Releases “Smart” Polo Shirt

Designer Ralph Lauren has released a “smart” Polo shirt. The compression shirt has knitted-in sensors capable of reading biological data such as heartbeat, respiration, stress level and energy output. The shirt’s aim is to “improve general wellness and increase physical fitness,” according to the brand. It was developed with a Canadian-based maker of wearable fitness trackers. “Our goal is to create and reflect the ultimate lifestyle, and we believe a healthy and active life is an essential part of that,” said a Ralph Lauren representative, adding, “Ralph Lauren is excited to help lead the industry in wearable technology in this ever-evolving, modern world.” [PC Magazine] EE ALSO: [HP Investigates “Internet of Things” devices and finds plenty of Vulnerablities]

UK –Spies Have Scanned the Internet Connections of Entire Countries

Heise has obtained documents showing that a GCHQ system, Hacienda, can scan every internet address in a given country to see both the connection types in use (such as web servers) as well as any associated apps. The scanning platform is looking for relevant targets and any exploitable security holes; if a target is running software with known vulnerabilities, it’s relatively easy for agents to break in and either swipe data or set up malicious websites that trick suspects into compromising their PCs. Poring over this much data would normally be time-consuming, but there’s a companion system (Olympia) that makes it easy to find useful information within minutes. The technology itself isn’t shocking; anyone can do this, if they don’t mind incurring the wrath of internet providers and law enforcement. However, the global scale of Hacienda is bound to raise eyebrows. Agents had scanned 27 whole countries as of 2009, along with parts of five others — it’s clear that the goal is to have complete national network maps on demand, whether or not they’re really needed for investigations. GCHQ can also hand its findings over to the NSA and other intelligence groups. There are ways to thwart this probing, such as the early version of an internet stealth protocol (TCP Stealth), but it could be a while before you’re completely off the radar. [Source]

Law Enforcement

US – Ferguson Events Prompt Calls for Police Body Cams

Amidst the events swirling in Ferguson, MO, calls for police-mounted body cameras have been increasing, but some are concerned such surveillance could pose significant privacy issues, including the loss of anonymity in public and lack of national guidelines for proper use. The cameras would be mounted either on an officer’s chest or sunglasses to record interactions with citizens and suspects. The Electronic Frontier Foundation’s Jennifer Lynch asks, in a separate report , “What happens to the data after the fact?” UC Berkeley’s Jen King points out that putting secure systems in to protect sensitive data collected by the cameras requires expertise that many departments simply do not have. [New York Times]

US – California Cops Caught Using Police Database to Spy on Potential Mates on Online Dating Sites

Two veteran police officers in Fairfield, California are being investigated for using confidential law enforcement databases to obtain private information about women they met on online personal websites. Sergeant Stephen Ruiz and Detective Jacob Glashoff are accused of misusing the California Law Enforcement Telecommunications System database in order to pry into the lives of women they were interested in meeting on Tinder.com, Match.com, eHarmony.com, and Care.com, according to court documents. Authorities were alerted to the pair’s actions by one of their colleagues, who said that they were on the sites “while at work every day for what seems like months,” and were “often having their own side conversations regarding dating sites.” [The Daily Republic] See also: [The Sexual Predator App With a 100 Percent Conviction Rate]

Location

US – Smart Outlet Startup Raises $1.65 Million in Seed Funding

Zuli, a startup “making a connected outlet with presence detection and energy monitoring, has raised $1.65 million in seed funding from several investors.” That follows a Kickstarter launch in December that raised more than $175,000, the report states. Zuli’s CEO says it plans to partner up with other smart home device-makers interested in the “Bluetooth mesh concept,” which offers presence detection—communicating where a person is in relation to a smart outlet. [GigaOm]

Online Privacy

WW – Attack on TOR Attempted to Strip Traffic Anonymization

The TOR Project has issued an advisory about malicious relays being used to launch an attack on the TOR network that persisted for five months and may have revealed identifying information about the network’s users. The TOR Project says it stopped the attack on July 4. The attack appears to have been designed to unmask TOR users’ identities. It is possible that the attack was launched by researchers at Carnegie Mellon University, who recently cancelled a talk they planned to give at the Black Hat security conference at the behest of CMU lawyers. The TOR Project also said that anyone who used the service or operated the service during that time “should assume they were affected.” [ArsTechnica] [BBC] [ZDNet] [SCMagazine] [v4.co.uk] [TOR Project Advisory]

WW – Analysis of Chrome Extensions Finds Malicious Activity

Researchers analyzed extensions for Google’s Chrome browser and found that many conduct malicious activity, including fraud and data theft. The activity often remains undetectable to most users. Of 48,000 extensions analyzed, 130 were “outright malicious,” and more than 4,700 exhibited signs of suspicious behavior. [ComputerWorld]

WW – Blog Names Unsecure Apps and Services

A Tumblr blog called HTTP Shaming posts a list of apps and services that do not take sufficient measures to protect user data. The site’s creator hopes that making this information known will prompt companies to encrypt data sent over wireless networks. The number of apps and services on the list currently stands at 19. If a case is deemed especially serious, it is not posted until the organization responsible for it is contacted so they can mitigate the problem. [ArsTechnica] [SMH.com] [

WW – App Store Removing Privacy-Friendly Apps

Certain apps are being removed from the Android app store based on Google’s policy of banning apps that interfere with other apps. Disconnect Mobile is one such app that was recently removed from the store; its aim was to stop other apps from collecting data on users. The practice is indicative of the concerns that some have voiced over the amount of control Google, and its rival Apple, have through their app stores. Casey Oppenheim, Disconnect’s co-founder, notes, “There is no reason why you shouldn’t have the same degree of control over the computer you have in your pocket as you do over your computer on your desktop,” but a Google spokeswoman says its policies are “designed to provide a great experience for users and developers.” [Wall Street Journal]

WW – Tumblr Partners With Photo-Scanning Company

Social network Tumblr has reached a deal with photo analysis company Ditto Labs to scan its users’ photos to help companies better understand how their brands are being perceived online. T.R. Newcomb, Tumblr’s head of business development, said, “Right now, we’re not planning to do anything ad-related.” Meaning, for example, if a bottle of Coke appears in a user’s photo, that user will not start receiving Coke ads. “If Coke wants to understand the nature of the conversation (about them on Tumblr) Ditto can sift through and deliver it to Coke,” Newcomb said. According to the report, Tumblr appears to be the first major online company to employ such photo-scanning techniques. [Mashable]

WW – Unlocking the Web’s Black Box

A new tool for tracking personal data online. Called XRay, the open-sourced tool created by researchers at Columbia University reverse-engineers correlations made by web services-for example, Gmail or Facebook ads or Amazon product recommendations-to help understand how the ads or recommendations are served up. “The web today is a big black box,” said one of the researchers. “What’s needed is transparency.” [New York Times]

WW – On “Creepy” Personality Tools and Data Doppelgangers

There is criticism over the amount of user data Facebook may be able to collect under changes to its ad network. Some are also criticizing the U.S. Federal Trade Commission for allowing the company to make the changes, arguing they violate a 2011 privacy settlement. The Post also looks into a new tool called Five Labs that scans a user’s Facebook profile to generate a personality test. Five Labs’ Nikita Bier said the most common response from volunteers who helped with the program was “this is kind of creepy” and many asked if Internet companies would use this kind of analysis on users. The Atlantic examines “why customized ads can be so creepy, even when they miss their target.” [The Washington Post]

US – AOL Won’t Respond to DNT Until Uniform Standard Exists

AOL has disclosed it doesn’t respond to do-not-track (DNT) signals. The company said it may be willing to reconsider its position “if the industry can agree on a uniform do-not-track standard,” the report states. In part of its most recent privacy policy update, AOL inserted a new section indicating how it intends to react when a DNT signal is sent by an online user. [Law 360]

Other Jurisdictions

AU – Australian Legislation Would Give Intelligence Agency Broad Access to Computers

Legislation proposed by Australian attorney general George Brandis would broaden the Australian Security Intelligence Organisation’s (ASIO) access to computers and networks. Some legal experts say that the law could be interpreted to give ASIO access to every Internet-connected computer. Civil liberties groups are also concerned about provisions that would criminalize journalists who receive and publish leaked documents. [ZDNet] [The Guardian] SEE ALSO: At the recent APEC’s Data Privacy Subgroup meetings, Canada submitted its Notice of Intent to participate in the Cross Border Privacy Rules system, meaning, after a favorable determination by the APEC’s Joint Oversight Panel, Canada will become the fourth country to join the system. Supratim Chakraborty writes on India’s data privacy regime. Advocates are calling for laws to keep up with Internet usage in Indonesia. Some say Romanian law requiring registration of pre-paid SIM cards violates citizens’ privacy rights.

NZ – Plan to Expose Breaches of Privacy Act

Privacy Commissioner John Edwards says his office is considering naming and shaming agencies that break the rules on personal information. Mr Edwards said until now, agencies and companies that breach the Privacy Act have rarely been named publicly. He said the new policy would enable the office to be a more effective regulator, particularly in cases of repeat offenders. The Office of the Privacy Commissioner will release a discussion document on the naming policy next week to get public feedback on the idea. In the interim, Mr Edwards said he planned to make more use of the regulatory powers he already had and take a tougher line on privacy breaches. [Radio New Zealand News]

MX – DPA Won’t Challenge New Telecom Law; Advocates Outraged

The battle over Mexico’s new telecom law persists, Global Voices reports, with many citizens fearing the law could mean censorship and an increased level of digital communications surveillance in the country. Privacy advocates are looking to Mexico’s Federal Institute for Access to Public Information and Data Protection (IFAI), but the IFAI voted in a recent plenary session not to challenge the proposed law in the Supreme Court—a decision that sparked backlash on the Twittersphere. The law would allow law enforcement to monitor calls and text messages without warrants and give Mexico’s attorney general the authority to solicit real-time data on cell-phone locations. [Global Voices] Mexico’s Federal Institute for Access to Public Information and Data Protection says it won’t challenge a new law that many fear could mean censorship and an increased level of digital communications surveillance in the country.

Privacy (US)

US – FTC: We Need Comprehensive Data-Security Legislation

While the FTC is responsible for ensuring fair trade practices, it has “been steadily hacking the law to make itself into a privacy and security officer responsible for protecting Americans’ data,” writes Kashmir Hill. It’s come with some controversy, as evident in the case of Wyndham Hotels, in which the FTC charged the brand with “unfair” data practices. Wyndham fought back that the FTC doesn’t have the regulatory authority to oversee data security, and the case is now headed to the Third Circuit. While unable to discuss the Wyndham case, speaking at hacker conference Defcon, Federal Trade Commissioner Terrell McSweeny said, “This reinforces my support—and it’s a unanimous position held by the FTC—that we need comprehensive data-security legislation.” [Forbes]

US – Military Contractors Face New Breach Disclosure and Procedure Deadlines

Contractors for the US Defense Department are facing a new deadline for rules that will require them to report breaches to the Pentagon and to grant the government access to their networks so they can conduct attack analysis. Concerns about the rules include requiring companies to report even minor breaches and allowing the government access to trade secrets and personal information. The rules were part of a congressional Defense Department budget authorization measure in 2013. Director of communications for the Aerospace Industries Association Daniel Stohr said, “Cyber security is increasingly becoming the cost of doing business with the federal government.” [Bloomberg] The American Farm Bureau Federation has filed a complaint in a Minnesota federal court against the Environmental Protection Agency for its public release of farmers’ and ranchers’ personal information.

US – Sen. Questioning Airline Privacy Practices

Sen. Jay Rockefeller (D-WV) has sent a letter to 10 major U.S. airline companies inquiring about their data privacy practices. Rockefeller noted consumer advocates are concerned airline privacy policies “can contain substantial caveats and that it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping and sharing about them.” United, Delta, American and Southwest were among the airlines Rockefeller contacted. “Data collected during ticket purchase can include a passenger’s name, credit card numbers, date of birth, addresses, travel destinations and travel companions,” he wrote, adding, “No comprehensive federal privacy law currently applies to the collection, use and disclosure of consumer travel information.” [PCWorld] Sen. Jay Rockefeller (D-WV) has sent a letter to 10 major U.S. airline companies inquiring about their data privacy practices.

US – Judge Rules LinkedIn Must Face Privacy Lawsuit

Professional services social network LinkedIn must face a privacy class-action lawsuit alleging the company violated its users’ privacy when it accessed their external e-mail accounts, downloaded their contacts’ e-mail addresses and solicited business from those contacts. U.S. District Court Judge Lucy Koh said the practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network,” adding, “In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘we will not … e-mail anyone without your permission,’ LinkedIn may have actively led users astray.” [Reuters]

Privacy Enhancing Technologies (PETs)

WW – Despite Tools, Anonymity Online Remains Difficult—If Not Impossible

Despite the proliferation of privacy-enhancing tools, anonymity online remains difficult to achieve. Some popular web browsers—Chrome, Firefox, Internet Explorer and Safari—offer “private” web browsing. But that kind of privacy only applies to the user’s computer, the report states; websites can still identify computers by their IP addresses. Similar problems exist with cookie-blocking, encryption and browsers like Tor. Meanwhile, new research findings indicate millennials are determined to take back their digital privacy. [Tech Crunch] See also: [Amazon Web Services First Cloud Provider Authorized to Handle Sensitive DOD Data] and [WSJ: For German, Swiss Privacy Start-Ups, a Post-Snowden Boom | WSJ: Can This Little Orange Box Beat the NSA?]

WW – Researchers Create Privacy Wrapper for Android Web Apps

Users can wrap Facebook and other apps to better control their privacy and security, according to researchers from North Carolina State University. On a mobile application, users typically have a single choice to protect their privacy: install the application or not. The binary choice has left most users ignoring permission warnings and sacrificing personal data. Most applications aggressively eavesdrop on their users, from monitoring their online habits through the device identifier to tracking their movements in the real world via location information. Now, a research group at North Carolina State University hopes to give the average user a third option. Dubbed NativeWrap, the technology allows Web pages to be wrapped in code and make them appear as a mobile application, but with user-controlled privacy. Because many applications just add a user interface around a Web application, the user should have equivalent functionality for many wrapped apps, said William Enck, assistant professor in the department of computer science at North Carolina State University. “You can go to any Web site that you want to turn into an app and create your own custom version that can be installed to your phone,” he said. “Permissions are determined by you, the user.” Numerous studies have found that applications routinely use unnecessary permissions to collect data on users. A study released in February by McAfee found that 82% of applications tracked their users. 99 of the top 100 free mobile applications on both Android and iOS had at least one risky behavior, according to application-reputation firm Appthority’s Summer 2014 App Reputation Report. Paid applications were not much more respectful of their users’ privacy: 87% of iOS and 78% of Android apps risked users’ privacy and security. Appthority defines risky behavior as the collection of location information and device identifiers, the allowing of in-app purchases, or the accessing of the contacts database or the user’s calendar. [ARS Technica]

Security

US – Survey Says Companies Not Prepared to Manage Insider Threats

According to the “2014 Insider Threat Survey” from Spectorsoft, more than half of IT and security professionals feel that their organizations are not adequately prepared to deal with insider threats. The study surveyed 255 people at small and medium sized businesses in the US, Latin America, and Europe. Fifty-five percent attributed the lack of preparedness to a lack of training; 51% attributed it to insufficient budgets; and 34% said that inside threats were not a priority. [SC Magazine] See also: Kaspersky Report Shows Users are concerned about online risks but don’t do anything about them.

US – Study: University Networks Less Secure than Retail, Healthcare Sectors

According to a report from BitSight Technology, college and university networks face greater risk of attacks than retail and healthcare networks. Attackers target university systems during the academic year, and many schools do not have the resources to protect their networks. The report says that part of the reason that network security is worse during the academic year is the presence of so many devices that students bring. Universities can also be appealing targets for data thieves because of the abundance of personal data and research data. Also, many schools have partnerships with government agencies, which could put those agencies at risk as well. Most attacks on university systems come from malware, and most of those are from Flashback, which targets Macs. [SC Magazine] [ZDNet] [NBCNews]

US – FBI and DHS Plan to Provide Healthcare Organizations More Threat Info More Quickly

Following a breach that compromised personal information of 4.5 million patients seen at hospitals operated by Community Health Systems (CHS), representatives from the FBI and the US Department of Homeland Security (DHS) say they are taking steps to share more threat information more quickly with organizations in the healthcare sector. [ComputerWorld]

WW – Researcher Finds Vulnerabilities in Antivirus Products

A researcher in Singapore examined antivirus products and found remotely exploitable flaws in 14 of them. Analysis accompanying the results indicates that many antivirus products pose security risks by requiring broad privileges, not signing updates, and delivering updates over HTTP. [SysCan] [The Register] [ComputerWorld]

WW – Android Reset Flaw Allows Data Recovery

Several Android devices, including the Tesco Hudl, are affected by a reset flaw that allows recovery of data that users may believe they have erased from the device. Three separate investigations, which were carried out with used devices purchased through eBay, came to the same conclusion. [BBC] [The Register] See also: [Android Fake ID Vulnerability]

WW – Tesla to Hire Hackers to Find Connected Car Vulnerabilities

Electric carmaker Tesla Motors will hire up to 30 full-time hackers whose job will be to find and close vulnerabilities in the firmware that controls its cars. “Our security team is focused on advancing technology to secure connected cars,” said a company spokesman, adding the focus is now on “setting new standards for security and creating new capabilities for connected cars that don’t currently exist in the automotive industry.” Tesla’s cars are some of the most digitally connected cars in the industry, the report states, with batteries, transmissions, engine systems, climate control, door locks and entertainment systems remotely accessible via the web. [ComputerWorld].

CA – Study estimates 36 % of Canadian Businesses Know They’ve Been Hit by Cyber Attack

More than one-third of Canada’s IT professionals know — for sure — that they’d had a significant data breach over the previous 12 months that could put their clients or their organizations at risk, a cybersecurity study suggests. And as startling as that statistic may be, the actual number of breaches could be higher since the same international study found 56% of the 236 Canadian respondents said they believed threats sometimes fall through the cracks. “Even the best-protected networks have regular security incidents,” says Jeff Debrosse, director of security research for Websense, a U.S.-based security company that commissioned the study. A Statistics Canada report in June said that six per cent of the 17,000 private Canadian enterprises it surveyed had experienced an Internet security breach in 2013. About one-quarter of those reporting a breach — representing roughly 260 companies — said client or proprietary information had been corrupted, stolen or accessed without authorization. The Websense report done by the Ponemon Institute, a private-sector think-tank that conducts independent research on privacy, found 36% of the Canadian companies in the study had experienced one or more cyber attack over the previous year that infiltrated networks or enterprise systems. It also found 89% cent of the Canadian respondents said they personally know another security professional whose company had sensitive of confidential data stolen as a result of an inside threat. It also found 23% of the Canadian cyber security teams never speak with their executive team. Of those who did, nearly half did so only annually or semi-annually, while only two per cent talked weekly with executives about security. “If the conversation is happening less than monthly, that’s a pretty significant problem,” Debrosse says. [Source]

Surveillance

CA – Peeping Drone ‘An Invasion of Privacy,’ B.C. Homeowner Says

A Victoria-area resident says she spotted a drone buzzing around her property, but police say their hands are tied. Laura Moffett says the man, who was flying the drone in a park across the street, was allegedly trying to peek inside her home in Oak Bay. “It’s an invasion of privacy. We have a skylight above, and on the weekend I had my nieces and nephews around playing in the pool, and what if he had been doing it then and taking videos?” said Moffet. But Oak Bay police Sgt. Chris Goudie says the actions weren’t criminal, and police won’t be recommending any charge. “There’s nothing on the books for hobbyists. It’s much like a remote control airplane. Where it’s going to come to our attention is when they’re intruding on people’s privacy.” Last week a Vancouver man filmed a drone flying spying on his False Creek area highrise condo. [Source]

US – Incentive-Based Insurance Programs on the Up, But Who Has Data Access?

Insurance companies are increasingly offering consumers a deal: Let us track your driving and we’ll give you an annual discount if you behave yourself on the road. In theory, everyone wins, as consumers save money and insurance companies attract safer drivers. But such programs generate vast amounts of data, and while insurance companies promise it’s for their eyes only, some experts have concerns that that’ll change—perhaps to a central industry database. And while the big companies aren’t yet tracking driver location, at least one company is testing it. Meanwhile, researchers in Brazil have presented a potential solution to the pervasive problem of distracted drivers: a dashboard camera in front of a driver capable of spotting cell phone use. [The New York Times] See also: [Datenschutzkommission, Austria – Decision DSB K121.998 – Vehicle Monitoring]

US – ‘Smart’ Lighting System Provides Surveillance at U.S. Airport

Newark Liberty International Airport has installed 171 “smart” LED lighting fixtures, attached to the ceiling, that peer down and record the movements of passengers and staff. They’re incredible pieces of technology: Sure they illuminate, and use much less energy than other lights. But each lighting fixture also has computing and networking capabilities. The system includes cameras and sensors that feed data into it. The airport won’t discuss the system’s full capabilities, but we know it can monitor licence plates of cars entering the departure area or the parking lots. [Sourc]

US – Dance Depicts a Farewell to Privacy

“Surveillance” is a new 60-minute dance performance at New York Live Arts this week that looks at an Orwellian Big Brother society. “In a society in which people need to film or photograph everything, what intimacy is left?” writes Alastair Macaulay. The dance is choreographed by Zvi Gotheiner and features depictions of people passing through a body check, ostensibly at a national border, and illustrates a sense of humiliation felt by the subjects of the searches. In another scene, one dancer videotapes another, and later, the camera is turned on the audience. [The New York Times]

Telecom / TV

US – White House Advising Police to Keep Quiet on Cell Data Sweeps

The Obama administration has been “quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods.” The administration, citing security reasons, has intervened in “routine state public records cases and criminal trials regarding use of the technology,” the report states, resulting in police departments “withholding materials or heavily censoring documents in rare instances” when the documents include information about the purchase and use of the surveillance equipment. [Associated Press] [Any government can track your cellphone with right technology] and [Canada: Lost smartphones can lead to anxiety disorders: Study]

US Government Programs

US – CIA Director Apologizes for Unauthorized Access of Senate Committee Computers

CIA Director John Brennan has apologized to the Senate Intelligence Committee for improperly accessing Senate computers during the Senate’s investigation into Bush-era interrogation practices. Brennan called the action “inconsistent with the common understanding” between the agency and Senate overseers. Earlier this year, Brennan denied that the CIA had accessed the computers. [NextGov] [ArsTechnica] [NBC News]

US – NSA’s Search Engine Allows Agencies to Share Data

In the latest leak from Edward Snowden, an internal search engine has been built by the NSA allowing the agency to share vast amounts of surveillance data with nearly two dozen government agencies. Called ICREACH, the “Google-like” search engine shares more than 850 billion records, including phone calls, emails, cell-phone location data and Internet chats. Key participants, the report states, include the Federal Bureau of Investigation and the Drug Enforcement Agency. ICREACH is accessible by as many as 1,000 analysts at 23 U.S. government agencies and can handle between two and five billion new records per day. [The Intercept]

US Legislation

US – California Assembly Passes Groundbreaking Student Privacy Bill

California’s Assembly on Monday approved first-in-the-nation privacy measures prohibiting the use of students’ personal information for profit. The Student Online Personal Information Protection Act was authored by Senate Leader Darrell Steinberg (D-District 6) and passed the Assembly unanimously on a 71-0 vote. The bill “would end targeted advertising on K-12 websites, services and applications” and also “prohibits operators from using any information gained from the use of their K-12 site to target advertising on any other site, service or application,” according to a press release from Steinberg’s office. The bill will now head to the Senate for a vote. [Source] See also: [What Student Data Do Schools Collect?] See also: [Calgary principal apologizes after students’ personal information disclosed]

US – Delaware Passes Legislation Grants Heirs Access to Digital Assets

The US state of Delaware has passed legislation giving a person’s heirs the right to digital assets, such as social media accounts, in the event of incapacitation or death. The Fiduciary Access to Digital Assets and Digital Accounts Act, signed into law by Governor Jack Markell, allows a person’s heirs to assume control of digital accounts and devices just as they would any physical assets and documents. [ArsTechnica]

US – House Passes Bills to Address Critical Infrastructure Security

The US House of Representatives has approved legislation aimed at improving the cyber security of companies that operate elements of the country’s critical infrastructure. One of the bills would create public-private partnerships. Another bill focuses on improving critical infrastructure security technology, and a third bill is aimed at building DHS’s cyber work force. [NextGov] Sen. Ron Wyden (D-OR) discussed the need for outdated privacy laws to be changed in order to “reflect both the Constitution and public expectations.”

US – House Bill Would Require Federal CIOs to Sign Off on Web Site Security

A bill passed by the House of Representatives would require federal websites that retain personally identifiable information to be certified as secure by an agency chief information officer. New sites would have to obtain CIO approval before going live. Sites that are already live and were launched after October 1, 2013 would have to obtain the approval within 90 days of the bill’s passage. [NextGov] JDSupra has published a summary of changes made to U.S. state data breach notification laws.

US – Tennessee Legislature Adds Employee Privacy Protections to “Internet Accounts”

“Accessing information about employees and applicants via their social media accounts just got a bit more complicated in Tennessee. This past legislative session, the Tennessee General Assembly passed the Employee Online Privacy Act of 2014 aimed at protecting employees and applicants from being forced by an employer to turn over access to their social media accounts. The Act makes Tennessee part of a growing number of states enacting similar legislation. Although the Act, which takes effect January 1, 2015, can be seen as a win for employee privacy, it is not an absolute bar to employers using social media as a tool to monitor their employees’ and applicants’ actions. The law still leaves several permissible purposes for which employers may utilize social media in the employment context.” [More] [Source]

US – CA Drone Privacy Bill Moves Forward; Amazon Seeks DOT Exemption

A California bill that would place strict regulations on how law enforcement and other government agencies can use drones passed the California Assembly. The bill would require law enforcement to obtain warrants before using drones except in cases of emergency such as fires or hostage situations. Other public agencies would be able to use drones as long as the purpose is not for gathering criminal intelligence. The bill now heads to the governor’s desk. Meanwhile, the Association for Unmanned Vehicle Systems International has written to the U.S. Department of Transportation to grant Amazon an exemption under Federal Aviation Administration rules that would allow it to conduct immediate outdoor tests of its commercial drones. [Reuters] See also: [Eyes in the Sky: Inquiry into Drones – The Parliament Of The Commonwealth of Australia]

US – California Passes Law Mandating Smartphone Kill Switch

Smartphones sold in California will soon be required to have a kill switch that lets users remotely lock them and wipe them of data in the event they are lost or stolen. The demand is the result of a new law, signed into effect on this week, that applies to phones manufactured after July 1, 2015, and sold in the state. While its legal reach does not extend beyond the state’s borders, the inefficiency of producing phones solely for California means the kill switch is expected to be adopted by phone makers on handsets sold across the U.S. and around the world. The legislation requires a system that, if triggered by an authorized user, will lock a handset to essentially make it useless. The feature must be installed and activated in new smartphones, but users will be able to deactivate it if they desire, and it must be resistant to attempts to reinstall the operating system. Police can also use the tool, but only under the conditions of the existing section 7908 of the California Public Utilities Code. That gives police the ability to cut off phone service in certain situations and typically requires a court order, except in an emergency that poses “immediate danger of death or great bodily injury.” The law doesn’t specify how the system locks the phone, nor what happens to the data on the phone when it’s locked. Each manufacturer can come up with their own system. [PC World]

Workplace Privacy

US – Survey: Some Employees Would Trade PI for Benefits

According to a report on workplace privacy, nearly one-third of respondents said they would be willing to trade personal data to their employers for certain benefits. Conducted by PricewaterhouseCoopers (PwC), the research surveyed 10,000 employees and 500 human resources (HR) professionals worldwide. PwC Global HR Consulting Leader Michael Rendell said, “Just as advertisers and retailers are using data from customers’ online and social media activity to tailor their shopping experience, organizations could soon start using workers’ personal data (with their permission) to measure and anticipate performance and retention issues,” adding, “This sort of data profiling could also extend to real-time monitoring of employees’ health, with proactive health guidance to help reduce sick leave.” [The Financial]

ON – Canada: Employer Asks HRTO for Permission to Access Employer’s Own “Occupational Health and Claims Management” File on Employee

Must an employer obtain permission from the Human Rights Tribunal of Ontario to access medical records held in the employer’s own file on an employee who filed a human rights complaint with the Tribunal? That question is raised by a recent Tribunal decision. The employer submitted that Tribunal authorization was necessary “because there may be a conflict with respect to privacy standards required by applicable legislation. The respondent indicates that the expectations and protections under the Personal Health Information Protection Act . . . for health information custodians regarding disclosure may be different from the duty imposed on employers by the Occupational Health and Safety Act . . . The respondent submitted that the Tribunal has granted the orders it seeks in other cases in which similar circumstances arose.” The employer was likely referring to subs. 63(2) of the OHSA which states: “No employer shall seek to gain access, except by an order of the court or other tribunal or in order to comply with another statute, to a health record concerning a worker without the worker’s written consent.” The case illustrates that employers seeking to use information in an employee medical file for litigation purposes should proceed cautiously and should seek a court or Tribunal order if necessary. [Mondaq News]

+++

16-30 June 2014

Biometrics

WW – Industry: “There Is No Anonymity If We Choose to Live in Society”

The recent National Telecommunications and Information Administration (NTIA) meeting on drafting a voluntary code for commercial uses of facial recognition technology was short, but not for lack of contentious debate. As promised at the last NTIA meeting, the trade association representing the biometrics industry prepared a draft of principles on a code, and there were a few people who didn’t like what it had to say—at all. It’s a particularly heated time to talk facial recognition: More than 30 privacy and civil liberties groups sent the Justice Department a letter this week asking that it complete a “long-promised audit of the FBI’s facial-recognition database,” while behavioral authentication company Biocatch has raised $10 million to expand its biometric authentication platform. But the meeting turned on this one sentence: “There is no anonymity if we choose to live in society.” Angelique Carson reports for The Privacy Advisor.

US – Biometrics Industry Introduces Best Practices Draft, Advocates Don’t Like It

The International Biometrics Industry Association has introduced a discussion draft on proposed self-regulatory standards on facial recognition as part of the National Telecommunications and Information Administration (NTIA) multi-stakeholder process. The draft, introduced ahead of the NTIA’s June 24 meeting, has some privacy advocates upset. The Center for Digital Democracy’s Jeff Chester said the draft is “just the latest example of where the NTIA process is being run by industry lobbyists who really don’t want to see consumer privacy protected.” [Broadcasting & Cable] [Biometrics and its Emerging Role in Financial Services]

US – Researchers’ Work Takes “Quantified Self” to New Level

A prototype wearable device is designed to detect nonverbal body noises—including coughing, laughing and teeth grinding—that can provide evidence of a person’s mood and health. Developed by researchers at Cornell University, the system attaches behind a user’s ear and could possibly be integrated with Google Glass in the future. Its built-in sensors can detect subtle clues to determine mood and emotional state. “We see ‘quantified self’ and health tracking taking off, but one unsolved problem is how to track food consumption in an automated way,” said the lead researcher of the technology. She said if enough people use it, for example, the health of a city may be measured. [MIT Technology Review]

US – Match Pairs Up with Facial Recognition Company to Find Clones of Exes

Popular dating site Match.com is rolling out facial recognition technology that will help users find “clones” of their exes. Three Day Rule, the company partnering with Match for the facial recognition tool, bases its model on the fact that “attractive” means different things to different people. Match users can opt in to the Three Day Rule database to be paired up. The software identifies hair color, face shape, eye shape and eyebrow structure of the “ex” to find a match. While that gives some folks the creeps, the algorithm is not much different than what other sites are using these days, the report states. [The Washington Post]

Big Data

WW – Big Data Discrimination Issues the Focus of Winners at PLSC

Over the past year, the idea of big data analytics and its potential for discriminatory harm has only gained steam. IAPP VP of Research and Education Omer Tene published with the Future of Privacy Forum’s Jules Polonetsky about the topic in a paper called “Judged by the Tin Man”; Michael Schrage wrote about it for Harvard Business Review , and the White House reports on big data highlighted potential discrimination as an issue to watch. Perhaps it’s not surprising then that the two IAPP prize-winning papers at this year’s Privacy Law Scholars Conference both deal with big data and the increasingly complicated systems that employ it. The IAPP’s Sam Pfeifle interviews the four authors of the two papers in this exclusive for The Privacy Advisor.

Canada

CA – Commissioner Cavoukian Calls on Govt to preserve Freedom and Liberty

In the final annual report of her unprecedented third term as Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian draws attention to the need for greater transparency and accountability from the provincial and municipal governments. She also calls on Canadians to keep the pressure on our country’s leaders to ensure that the message of “respect our privacy, respect our freedoms,” is heard loud and clear. Entitled Freedom and Liberty, the Commissioner has put forward four key recommendations in her report to safeguard Ontarians’ right of access to public records, and holding government to account:

  • New Consequences for Insufficient Records Retention
  • Municipal Councillors’ Records
  • Government Contracts
  • Modernization of the Acts. [Source] [2013 Annual Report]

CA – Commissioner Therrien: Human Rights Run in My Blood

Daniel Therrien applied for the job as Canada’s federal privacy commissioner as soon as he read the news: Jennifer Stoddart would soon retire. For many in the privacy community, the government’s subsequent approval of Therrien for the role earlier this month was confusing. Most hadn’t heard of him—and he certainly wasn’t known among the privacy circuit. In an exclusive interview, Angelique Carson spoke with Therrien about how he feels his career to this point, his upbringing, even his home in the country, all align perfectly with his new role as the chief protector of Canadians’ privacy. [The Privacy Advisor] [Therrien believes his public safety background will bolster privacy watchdog role]

CA –Supreme Court Says Warrant Required to Obtain Customer Data from ISPs

Canada’s Supreme Court has ruled that law enforcement agencies must obtain a warrant to request customer information, such as names, addresses, and phone numbers, from Internet service providers (ISPs). The court ruled that individuals are entitled to a reasonable expectation of privacy, but did not overturn the conviction of the man whose case brought the issue before it because the police had been acting in good faith. [The Register] [R. v. Spencer – 2014 SCC 43 – Supreme Court of Canada]

CA – B.C.’S Top Court Says Police Cellphone Searches Unconstitutional

British Columbia’s highest court says police must obtain a warrant before searching through the vast amounts of personal information stored in a smartphone, the latest in several court judgments across Canada warning law enforcement that the contents of cellphones are private. The B.C. Court of Appeal released a decision that concluded the RCMP violated the rights of a man charged in a kidnapping when they searched two of his BlackBerry smartphones without a warrant. The court also made it clear that police must ask for permission before examining the contents of a smartphone. “It seems to me that downloading the entire contents of a cellphone or smartphone, like the BlackBerrys in this case … can no longer be considered valid … as a reasonable warrantless search,” Justice Risa Levine wrote in a unanimous decision. “The highly invasive nature of these searches exceeds the permissible scope for a warrantless search authorized under the common law as a search incident to arrest.”[The Canadian Press]

EU – WP 29 Opinion: Wait on Quebec Adequacy Decision

The Article 29 Working Party has released an opinion recommending the European Commission “wait to consider whether the Canadian province of Quebec’s data protection legal regime is adequate to preserve the privacy of personal data received from the European Union.” The opinion raises several points, including “that the territorial scope of the Quebec Act in relation to the PIPEDA should be clearly defined before any decision on its adequacy is taken by the European Commission” and stating “the Working Party considers necessary any initiative, such as a legislation change or a court ruling, offering a clear definition of the notion of ‘sensitive information’ … (and) considers that the onward transfer principle needs to be clarified in Quebec’s law.” [EU Europea] [Bloomberg BNA] {H&W Blog]

CA – Examining Ontario’s “Vicarious Liability” Case

Norton Rose Fulbright Canada LLP’s Christine Carron, Pamela Sidey and Randy Sutton consider the question, “Should an employer be held vicariously liable if an employee breaches the privacy of a company’s customers?” They write that according to Ontario’s Superior Court of Justice, “vicarious liability for the nascent tort of ‘intrusion upon seclusion’ could be the basis of a nationwide class-action for non-pecuniary damages.” The authors note employers could also face liability “for failing to adequately supervise employees and protect their customers’ personal and financial information.” [Mondaq]

CA – Poll: Most Canadians Don’t Approve of Bill C-13

A new poll by Forum Research indicates most Canadians oppose Bill C-13, “at least when asked about elements of Bill C-13 that have nothing to do with cyberbullying.” The survey, which was conducted earlier this month, included 1,433 respondents. Of those, “more than two-thirds of Canadians disapproved of a stipulation in the controversial bill that would allow authorities to access personal data without a warrant,” report states, noting 79% of those who have personal data online “said they expect their personal information to remain confidential and private.” [The Huffington Post Canada] [Letter to Prime Minister Steven Harper Regarding Canada’s Growing Privacy Deficit – AMINA Corp, Canadian Civil Liberties Association, Canadian Internet Policy & Public Interest Clinic et. al]

CA – New Tool Helps Canadians Find Out if Telecoms are Collecting Their Info

Canadians concerned about their online privacy have a new way to find out whether their telecom provider is collecting information about them — and sharing it with third parties like government entities. The new tool, developed by some of the country’s top privacy experts, makes it easier for Canadians to force their provider to disclose their practices. “What we’re trying to do as researchers is identify what kind of data telecommunications companies in Canada collect, obtain, and process, and disclose to third parties,” said Dr. Christopher Parsons, a fellow at the Munk School of Global Affairs’ Citizen Lab. “But we also wanted to make it easier for Canadians individually to engage in the same sort of action.” Known as “Access My Info,” the web tool helps create a formal letter which, under Canadian privacy law, telecom companies are legally obliged to respond to within 30 days, the website offering the tool says. The project was developed by OpenMedia.ca, the Citizen Lab and the Digital Stewardship Initiative. [The Canadian Press]

CA – Ring Outlines Recommendations That Would Dismantle Bill 29

Newfoundland and Labrador Privacy Commissioner Ed Ring’s first presentation at the Access to Information and Protection of Privacy Act Review Committee hearings, where he “outlined a series of recommendations that he says will equate to the dismantling of Bill 29, the province’s privacy legislation.” Ring’s office has spent much time in court since the controversial Bill 29 was passed, the report states, noting those court cases often involved determining “if solicitor-client privilege exceptions are valid.” Ring has called the process “expensive, time-consuming and frustrating,” the report states. [Voxy]

CA – The Supreme Court Decision on IP Addresses and Its Implications

Canada’s Supreme Court unanimously concluded individuals “may have an interest in anonymity on the Internet that should be taken into account in determining whether law enforcement should have warrantless access to subscriber information associated with Internet Protocol addresses.” The court determined Internet service providers’ (ISPs’) terms of service and the Personal Information Protection and Electronic Documents Act (PIPEDA) “did not affect the analysis in the way previous courts had suggested,” writes Timothy Banks of Dentons Canada. “The court rejected the idea that PIPEDA permits an organization to respond to a police request that would otherwise violate an individual’s reasonable expectation of privacy.” This decision sets the stage for consideration of other data and has implications for any organization that receives police requests for information. [Privacy Tracker]

CA – Judge Certifies Class-Action Under New Canadian Privacy Tort

Justice Robert Smith recently certified a class-action lawsuit against the Bank of Nova Scotia under the new privacy tort of intrusion upon seclusion, saying “he couldn’t rule out the possibility the bank is vicariously liable for breach of privacy” after an employee stole client records. The employee “was given complete power in relation to the victims’ (customers) confidential information because of his unsupervised access to their confidential information,” Smith said, which created the opportunity for him to “abuse his power.” Suzanne Chiodo, an associate at Rochon Genova LLP, says this is good news for privacy lawyers, adding it “combines the law that was laid down in Jones v. Tsige with the low bar for certification” in class-actions. [Law Times] [Canada: Stolen Customer Data Results In Ontario’s First Certified Privacy Class Action]

CA – Despite Supreme Court Ruling, Senate Passes Bill S-4

While Privacy Commissioner Daniel Therrien has said Bill C-13 and S-4 should be reviewed in light of last week’s Supreme Court ruling that warrants are required to access telecom subscriber info, the Senate has passed Bill S-4. In his blog, Michael Geist called the move a “head in the sand approach.” Meanwhile, Justice Minister Peter MacKay has said the Supreme Court’s ruling “actually confirms what the government has said all along: that Bill C-13’s proposals regarding voluntary disclosure do not provide legal authority for access to information without a warrant.” [The Huffington Post Canada] See also: [OIPC BC – Follow-Up to Special Committee to Review the Personal Information Protection Act]

CA – Bill Calls for CSEC Scrutiny

Liberal MP Joyce Murray has tabled a private member’s bill seeking “to impose greater judicial and parliamentary scrutiny on Communications Security Establishment Canada (CSEC).” CSEC currently “faces no such direct scrutiny,” the report states, noting, “This spy agency operates under secret orders from the Minister of National Defence and keeps its relationships with communications corporations murky,” while being allowed to gather Internet data “without going to court.” Critics are calling for changes, with University of Ottawa Law Prof. Craig Forcese suggesting, “The government has been operating on a theory that what they’re collecting is something magical that doesn’t attract a reasonable expectation of privacy.” [The Globe and Mail] See also: [Border agency backs down on cross-border data bank]

CA – Cavoukian Calls for Document Destruction Penalties

Describing the alleged destruction of public records related to a scandal over a decision to cancel two gas plants as “offensive,” Ontario Information and Privacy Commissioner Ann Cavoukian is calling for “real penalties for bureaucrats or elected officials who deliberately destroy government records in violation of the Privacy Act.” “This is not how freedom works,” Cavoukian said during the release of her final annual report before the end of her third term as the province’s commissioner. She added, “I just think we have to drive that home so government doesn’t think they can do whatever they want quietly behind closed doors.” [The Canadian Press] See also: [Exit interview: Ann Cavoukian leaves privacy watch dog role to lead Ryerson’s big data institute]

Consumer

US – Woman Registers Herself as Corporation to Take Back Data Control

One woman aiming to regain ownership and control of her data. Jennifer Lyn Morone, an American working on her master’s degree at London’s Royal College of Art, has turned an art project aimed at designing a protest into an effort to transform herself into a “humanoid/corporate hybrid” and has become Jennifer Lyn Morone (JLM), Inc., registered as a company. JLM’s business plan is an attempt to “establish the value of an individual in a data-driven economy.” The business “derives value from three sources,” its plan states: “accumulation, categorization and evaluation of data generated as a result of Morone’s life.” [The Economist]

WW – “Respect Network” Aims to Put Users in Control

The Respect Network, launched in an attempt to “create a decentralized successor to today’s ad-centric model, where everyone throws their personal data into centralized services such as Google and Facebook.” The service is a new application platform and “a network of private, portable ‘clouds’ of personal data” that allows the user to stay in control, the report states. Meanwhile, a new study has found that banning the use of privacy services to hide domain name registrants from potential criminals would have privacy implications for lawful users of such services. [GigaOM] See also: [Is privacy loss worth 8% Ajusto car insurance saving: Mayers] See also: [U.S. GAO – Consumers’ Location Data – Testimony Before the Subcommittee on Privacy, Technology and the Law, Committee on the Judiciary, United States Senate]

WW – Facebook Moods May be Contagious, but So Is User Ire

Late last week, Facebook revealed it had manipulated a randomly selected number of users’ news feeds in a psychological experiment to see if mood is essentially contagious. Researchers determined it was. But public outcry for such an experiment without users’ consent prompted lead researcher Adam Kramer to post a public apology. In January 2012, Facebook selected 689,003 users and changed the number of positive and negative posts in their feeds. Users who saw more positive posts tended to write positive posts and vice versa. The research was in line with Facebook’s terms of service, but some say it was unethical. Meanwhile, in the U.S., Facebook is taking on the New York district attorney’s office for its seizure of 381 disabled retirees’ profiles in a fraud investigation. [The New York Times]

E-Government

UK – Government in Cyberspace: UK Citizens Remain Divided

A survey by KPMG and Censuswide has found that UK citizens are divided on the role of government in cyberspace. Calls have been made for UK laws governing internet surveillance to be reviewed after revelations of a secret government policy justifying mass surveillance of UK users of Facebook, Twitter, YouTube and Google. The survey found that 76% of respondents think government needs to do more to protect their online privacy. Additionally, 55% said government should be responsible for keeping the internet running, and 54% said the government should not interfere with the operation of the internet. [Digital By Default News]

UK – U.K. Conducts Mass Cyber-Snooping, Rights Groups Say

Britain’s top counterterrorism official says the country’s espionage rules allow its electronic spy agency to routinely intercept online communications between Britons who use U.S.-based platforms such as Facebook, Twitter and Google. A witness statement by Office for Security and Counterterrorism chief Charles Farr, made public Tuesday, said data sent on those services is classed as “external” rather than “internal” communications because the companies are based outside Britain. Britain’s Home Office confirmed the document was genuine. It was written in response to a legal action by civil liberties groups who are seeking to curb cyber-spying, and was published by the groups this week. [Associated Press]

Electronic Records

US – Hospital Networks Leaking Data

Researchers have found that hospital networks are leaking information to the Internet. In some instances, the leaked data include lists of all computers and devices on a hospital’s internal network. In every case, the leakage problem could be traced to an Internet connected computer that was improperly configured. Attackers could potentially identify vulnerable systems because network administrators have enabled Server Message Block (SMB) in a configuration that makes the data externally accessible. These computers were often found to be running Windows XP. [WIRED]

Encryption

US – Massachusetts Court Says Man Can be Compelled to Decrypt Computers

The Massachusetts Supreme Judicial Court has ruled that a man suspected of mortgage fraud can be ordered to decrypt computers seized from his possession. According to the court, the defendant, Leon Gelfgatt, admitted to police that he owned the computers and that he could decrypt them. The court ruled that this information means that decrypting the devices would not reveal anything new to authorities. [Ars Technica] [DocumentCloud] See also: [U.S. Department of State Written Response to Kelley Drye & Warren LLP in Relation to the Use of Tokenization]

WW – More Than 300,000 Servers Still Have Not Patched Heartbleed

According to a recent scan of web servers, at least 300,000 have not been patched to protect them from exploits targeting the Heartbleed vulnerability. The flaw was disclosed in April; a scan run at that time indicated more than 615,000 publicly available SSL servers with the vulnerability. A month later, the number had dropped to 318,000. However, the most recent scan showed that fewer than 10,000 servers had been patched in the last month. [CNET] [ComputerWorld] [v3.co.uk] See also: [Android 4.4.4 Addresses Heartbleed Flaw | The Register | Ars Technica | ComputerWorld]

WW – Researchers Use Big Data, Data-Mining to Bypass HTTPS Encryption

Researchers from the University of California at Berkeley and Intel say they were able to use big data models to get around a widely used version of encryption—Hypertext Transfer Protocol Secure (HTTPS)—including on sites operated by the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Bank of America and the American Civil Liberties Union. The researchers say, in their most recent paper, they were able to identify sensitive information a person was searching on HTTPS-encrypted sites with 90-percent accuracy—including searches on pregnancy and suicide. [The Wall Street Journal]

EU Developments

EU – Irish High Court Refers Facebook Case to ECJ

In a move that could have big implications for Facebook and the EU-U.S. Safe Harbor arrangement, Ireland’s High Court has referred questions raised in a case brought by Max Schrems to the European Court of Justice (ECJ). A recent ECJ ruling made waves after it ruled Google must delete links in the so-called “right-to-be-forgotten” case. Schrems, who started Europe-v-Facebook , has alleged Facebook illegally transferred EU citizens’ personal data out of the EU to U.S. intelligence agencies and that Irish Data Protection Commissioner Billy Hawkes wrongly interpreted EU data transfer law. A legal representative for Hawkes said the controversy was a matter for the political level, the report states. Meanwhile, EU Justice Commissioner Viviane Reding said a lack of judicial redress for EU citizens in the U.S. could prevent the EU from backing the Safe Harbor agreement. [The Irish Times]

EU –The Irish Facebook Case Is About Safe Harbor’s Future: Opinion

Analysis continues to pour in now that an Irish High Court judge has issued a preliminary judgment in a case involving Facebook that may have “sweeping consequences for U.S. e-commerce firms.” In the case, privacy activist Max Schrems claimed Safe Harbor didn’t protect his data because he’s not a U.S. citizen. “The judge hasn’t ruled directly on the major arguments of the privacy activist,” the report states, but has referred the case to the European Court of Justice to determine the validity of the EU-U.S. Safe Harbor agreement. Schrems’ case argues that Facebook, because it founded a subsidiary in Ireland, is subject to European privacy laws. EU Justice Commissioner Viviane Reding has said her office has begun a review of Safe Harbor. [The Washington Post]

EU – CNIL Gets New Online Audit Powers

Reports on the Act on Consumer Protection, which has amended the Act on Information Technology, Data Files and Civil Liberties “to allow the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), to conduct online audits.” The legislature’s goal was to allow the CNIL “to find infringement efficiently on the Internet by giving such findings probative value, and once an infringement has been found, to instruct the data controller to comply immediately,” the report states. The CNIL may now conduct Data Protection Act compliance audits remotely, “from a computer connected to the Internet” in this “latest addition to the audit procedures already in place.” [International Law Office]

UK – UK Gov’t Says Warrantless Spying on Social Media Sites is Legal

The UK government’s most senior security official says mass surveillance of social media is permissible under the law because such sites are “external communications.” Christopher Farr, director general of the Office for Security and Counter-Terrorism, says the monitoring of such online communications—recently called out in a case brought by Privacy International, Liberty, Amnesty International and other civil rights groups—does not require law enforcement to obtain search warrants because the Regulation of Investigatory Powers Act only requires warrants for spying on internal communications between British residents. [The Guardian]

UK – UK Government Can Intercept Social Media Posts Without Warrant

The British government can collect posts from social media sites like Google, Twitter, and Facebook without a warrant because the content is considered “external communications.” This revelation comes from court testimony from the Director General of the UK’s Office for Security and Counterterrorism published ahead of a hearing scheduled for mid-July. The distinction between the types of communications is made in sections 8(1) and 8(4) of the UK’s Regulation of Investigatory Powers Act (RIPA). [ArsTechnica] [BBC] [ComputerWorld] [Privacy International]

US – Bill Would Amend ECPA, Require Warrant to Search eMail

A bill that would require the government to obtain a warrant before searching people’s email and other stored communications now has majority support in the US House of Representatives. The Email Privacy Act would amend 1986’s outdated Electronic Communications Privacy Act (ECPA). The proposed legislation would bar third-party service providers from disclosing customers’ communications to law enforcement unless they have a warrant. [ComputerWorld] [CNET] [Text of Bill]

EU – Irish High Court Refers Facebook Case to ECJ

In a move that could have big implications for Facebook and the EU-U.S. Safe Harbor arrangement, Ireland’s High Court has referred questions raised in a case brought by Max Schrems to the European Court of Justice (ECJ). A recent ECJ ruling made waves after it ruled Google must delete links in the so-called “right-to-be-forgotten” case. Schrems, who started Europe-v-Facebook, has alleged Facebook illegally transferred EU citizens’ personal data out of the EU to U.S. intelligence agencies and that Irish Data Protection Commissioner Billy Hawkes wrongly interpreted EU data transfer law. A legal representative for Hawkes said the controversy was a matter for the political level, the report states. Meanwhile, EU Justice Commissioner Viviane Reding said a lack of judicial redress for EU citizens in the U.S. could prevent the EU from backing the Safe Harbor agreement. [The Irish Times]

EU – Right-to be-Forgotten Decision Has Nothing to Do With Right to be Forgotten

In the weeks following the European Court of Justice (CJEU) decision on the so-called “right to be forgotten,” reactions have varied among stakeholders. Google announced it will begin removing links to online content in Europe by the end of June. Now that enough time has passed since the decision, Profs. Vagelis Papakonstantinou and Paul de Hert have ruminated on its implications. Papakonstantinou and de Hert “calmly assess what the CJEU decision really is and is not about,” suggesting it “has nothing to do with a ‘right to be forgotten’” at all. [Privacy Perspectives] [The New York Times]

EU – Hustinx Pushes for Privacy Framework in Letter to EC President

It is “vital for a strong and modernised data protection framework in the EU to be adopted as soon as possible and for privacy and data protection considerations to be mainstreamed into all new policies and legislation,” European Data Protection Supervisor Peter Hustinx wrote in a letter to European Council (EC) President Herman Van Rompuy. The letter comes in advance of the EC’s next meeting, during which it intends to agree on “strategic guidelines for the future development of justice and home affairs in the EU.” Hustinx notes his concern that communications from the council “barely acknowledge the role of data protection in ensuring the EU’s activities are appropriate and proportionate” and recommends the council use his office’s opinion on the future development of freedom, justice and security as guidance. [EDPS]

EU – Are EU States Allowing Direct U.S. Surveillance?

The U.S. National Security Agency (NSA), with the aid of several EU governments, directly taps cables to collect high volumes of private e-mails, phone calls and Internet chats. The program, known as RAMPART-A, was revealed to a Danish newspaper in collaboration with The Intercept. According to documents leaked by Edward Snowden, foreign partners “provide access to cables and host U.S. equipment.” And, the “NSA is more active in Germany than anywhere else in Europe,” Der Spiegel reports . In a letter to European Council President Herman Van Rompuy, European Data Protection Supervisor Peter Hustinx said the EU needs stricter controls to protect citizens from spying. And the U.S. House of Representatives overwhelmingly passed a bill this week that would significantly restrict warrantless government access to private electronic communications. [The Intercept]

Facts & Stats

WW – “People Are Now Products” and PI Is Currency, Study Suggests

A recent study by encrypted communications company Silent Circle found that 88% of people in the UK believe their mobile calls and texts are being tapped. The results indicate “people are now products, and their private information is the currency,” said Silent Circle CEO Mike Janke. Meanwhile, services that offer encryption apps for privacy and data storage are seeing an uptick in sales. Ctrl-Shift, a marketing consultancy group, says it sees the launch of a new personal information-management services initiative once per week, on average. [The Wall Street Journal] See also: [National Institute of Standards and Technology – Guidelines on Mobile Device Forensics – Special Publication 800-101 – Revision 1]

Finance

US – Ford and Intel Pair Up Toward Smarter, Privacy-Enhanced Cars

Research from Ford and Intel recently explored how interior-facing cameras would be integrated with sensor technology and data generated within and around a car to create “a more personalized and seamless interaction between driver and vehicle,” according to a press release. Project Mobii also aims to give drivers greater privacy and controls, with features like facial recognition technology that personalizes display information depending on whether there’s an additional passenger in the car and alerts the primary vehicle owner via a smartphone picture if the driver is not recognized by the car. [Wall Street Journal] [US: Privacy an issue in auto technology, expert says]

FOI

US – Open Gov’t Initiatives Mean Increased Transparency, Privacy Risks

Governments are making more data publicly available in machine-readable formats in an effort to be more transparent, but doing so has privacy risks, according to a paper recently published in a Switzerland-based scholarly journal. The report is authored by the University of Ottawa’s Teresa Scassa, who says the open government movement has privacy risks, including responsibly handling public personal information, distinguishing between public- and private-sector actors and “the potential for monitoring and profiling of citizens through big data.” [FierceGovernmentIT] See also: [Article 29 Data Protection Working Party – Statement on the Role of a Risk-Based Approach in Data Protection Legal Frameworks]

CA – Federal Advisers Urge Access to Information Reform

Several members of the federal advisory panel on open government are urging the Conservatives to reform the Access to Information Act, a law that has barely changed in more than 30 years. The panel of experts from business, academia and civil society is providing advice to Ottawa on preparations for the next open government plan, to be released this fall. In their first plan, published in 2012, the Conservatives focused on making data sets more readily available, increasing access to archived federal documents and developing new ways to consult Canadians online. But the government has made no commitment to reforming the Access to Information Act despite calls for modernization from the federal information watchdog, opposition parties and pro-democracy groups.[The Canadian Press] see also [ON: Complaints about justices of peace kept secret] See also: [US – Further Guidance on the Implementation of FATCA and Related Withholding Provisions: Notice 2014-33 – Internal Revenue Service]

Google

WW – Google to Unveil Connected Health Service

On the heels of a similar announcement by Apple, Google will reportedly launch a new health service called Google Fit, which will collect and aggregate data from fitness trackers and other health-related applications. The announcement is expected next week at the Google I/O conference on June 25 and 26. Google Fit will collect the data from open APIs and will announce partnerships with other wearable device makers. Google Fit may also make it possible for health-monitoring, wearable devices to interface with Google’s cloud-based services. [Forbes]

Health / Medical

US – ONC Team to Consider Protecting Minors’ EHR Data

The Privacy and Security Tiger Team of experts, coordinated by the Office of the National Coordinator for Health IT, will focus next on the complexities surrounding minors’ electronic health records. The team’s July 14 meeting will look at the varying state laws that allow minors to obtain certain health services and whether the information involved may be disclosed to parents. At issue is how to segregate the information a minor may not want shared with parents—on substance abuse or reproductive health, for example—from the rest of the minor’s record. [FierceHealthIT]

US – Pritts Talks Mobile Health Apps; Online Therapy Brings Privacy Concerns

Joy Pritts, who is about to exit as the Office of the National Coordinator (ONC) for Health Information Technology’s first-ever privacy officer, discusses the privacy risks of mobile health apps in a Q&A. Among the top threats to patient health privacy remains the loss and theft of devices as well as “inappropriate access” to health records, Pritts says, adding, “We always encourage a multilayered approach to securing information.” Meanwhile a federally backed consortium of health providers, administrators and health information exchange experts are discussing how to exchange behavioral health data while maintaining privacy, and NPR reports on online psychotherapy and the privacy concerns that come with it. [SearchHealthIT] [Privacy and security experts: mHealth requires a new approach]

US – Industry Wants Patient Data-Sharing Made Easier

Health industry leaders met with lawmakers Tuesday in a roundtable discussion pushing for legislation to make patient health data-sharing easier, but lawmakers expressed concern about “nefarious” use of the data. During the discussion within the House Energy and Commerce Committee, industry asked lawmakers for legislation that would allow electronic medical records companies to charge physicians for data transfers, improve cloud computing and invest in more federal medical research. The move, argued industry, would change the healthcare system and curb medical mistakes. 23andMe’s CEO said she’d “like to democratize healthcare,” but Rep. Phil Gingrey (R-GA) said more open health data flows would be “scary.” [The Hill]

US – Hospitals May Be Using Data Brokers to ID Potential High-Risk Patients

Some U.S. hospitals are using public records and credit card transaction data gleaned from data brokers to identify potential high-risk patients. The largest hospital organization in the Carolinas, the report states, is placing data for two million individuals into algorithms that locate high-risk patients. Similarly, the largest hospital system in Pennsylvania is allegedly using household and demographic data. [Bloomberg]

Horror Stories

US – 160,000 Breached at Butler U; Biz Releases Student Data Privacy Guidelines

Officials at Butler University have warned that the records of 160,000 students, faculty, staff and alumni have been compromised after a hack. Exposed data includes birthdates, Social Security numbers and bank account information. Meanwhile, in a press release, Skyward, a K-12 software provider, has unveiled a set of data security and privacy guidelines for protecting student data. The recommendations include best practices for electronic storage as well as how to evaluate and strengthen schools’ internal privacy policies. Separately, former Mississippi Governor Haley Barbour writes, “Student privacy should be protected, and companies should not be raiding kids’ records to make a buck.” Last week, in a joint House subcommittee hearing, lawmakers and experts discussed student data privacy issues and concerns. [Miami Herald] See also: [NZ: At what point is data breach reporting overkill?]

WW – Smart LED Lights Save Energy, Spark Privacy Concerns

A California-based company has developed Energy-saving, smart LED lights that become smart networks that can collect data. The lights contain built-in sensors and cameras—and in the case of Terminal B in Newark airport—they can monitor for security and traffic. A building in Silicon Valley uses the lights in its parking lot, where they are also connected to security cameras. “We do use the license-plate recognition, and we can also detect people,” said the building’s owner, adding, “Everything goes up in the cloud, so we can access everything from anywhere. The future is limitless for this technology.” [CBS News]

US – Bistro Hit with Class-Action Following Breach

P.F. Chang’s China Bistro has been hit with a proposed class-action lawsuit following a data breach that exposed its customers’ credit and debit card data. The plaintiff in the case, John Lewert, says P.F. Chang’s “security failures enabled hackers to steal financial data from within P.F. Chang’s systems and subsequently make unauthorized purchases on customers’ credit cards and otherwise put consumers’ financial information at serious and ongoing risk,” the report states. It appears that the security breach at PF Chang’s began in September 2013 and was still active until June 11, 2014. The breach compromised continental US customers’ payment card data. A PF Chang’s spokesperson did not comment on the timing of the attack, but noted that it does not appear to have affected the company’s Pei Wei Asian Diner restaurants. [Krebs on Security] [Law360] See also: [Forbes: Yeah, the Thieves Got the Data. But How Do They Turn It Into Cash?]

US – 1.3 Million Affected by Montana Breach

The state of Montana has begun sending out notification letters to 1.3 million people affected by a data breach. The breach was discovered in mid-May by a contractor who noticed suspicious activity on one computer storing millions of records. And a New York radiology practice has informed 97,000 patients of a data breach after an employee of the practice gained unauthorized access to their personal information. Meanwhile, privacy attorney Gregory Parks advises organizations about which data breach provisions should be included in outsourced contracts, and EDUCAUSE Center for Analysis and Research has released a paper on data breaches in higher education. [CSO]

US – Healthcare Provider Settles with HHS for $800,000

Parkview Health System has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for $800,000. Parkview will also adopt a corrective action plan to address deficiencies in its HIPAA-compliance program, according to a press release. The settlement follows an HHS investigation into a retiring physician’s complaint over 71 cardboard boxes of medical records being transferred from him to other physicians, which were left accessible to unauthorized persons. “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said an OCR spokeswoman, adding that HIPAA-covered entities must protect information even during transfer or disposal. [HHS] See also: [$412-million lawsuit launched against Toronto hospital over privacy breach]

CA – $412-Million Lawsuit Against Toronto Hospital Over Privacy Breach

A $412-million class action lawsuit has been launched against Rouge Valley Health System less than a month after the Scarborough hospital admitted to a major privacy breach affecting up to 8,300 new mothers. Michael Crystal, one of the lawyer behind the lawsuit, said that the firm is seeking damages of approximately $49,000 per person and Crystal said the number of affected patients could rise depending how widespread the breach becomes. The hospital came under fire at the beginning of June after admitting that two former employees sold patient information to multiple Registered Education Savings Plan (RESP) companies. Both the Ontario Securities Commission and the Privacy Commissioner of Ontario were notified of the breach, which is said to have occurred over a two-year period. [CP24.com]

US – Advocate Files Complaint with FTC; Other Incidents Reported

A privacy advocate has filed a complaint with the FTC over a Maricopa County Community College District (MCCCD) data breach that compromised the data of approximately 2.5 million faculty, students, vendors and staff, alleging the school violated the Safeguards Rule. “Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those,” the advocate wrote in a blog post. Meanwhile, the U.S. Department of Justice is leading a multinational effort against the “Gameover Zeus” botnet and “Cryptolocker” ransomware. The world’s largest medical device maker, Medtronic, says it was the victim of a cyberattack in papers filed with the U.S. Securities and Exchange Commission, and Krebs on Security reports on a slew of data breaches affecting car washes across the country. BankInfoSecurity reports on lessons learned from distributed-denial-of-service attacks, including how they’re used as a diversionary tactic. [Source] See also: [In the Matter of Snapchat Inc.: Comments to the FTC – Electronic Privacy Information Center]

Identity Issues

US – New York to Issue ID Cards for Undocumented Immigrants

New York City’s 500,000 undocumented immigrants will be able to open bank accounts, visit libraries and use medical clinics, thanks to an official municipal identification card approved by the City Council. The measure, backed by Mayor Bill de Blasio, passed in a 43 to 3 vote with two abstentions. The photo IDs will display the holder’s name, birth date, address and – at the cardholder’s option – a self-designated gender. Similar cards have been created in Los Angeles, San Francisco and New Haven, Connecticut, which began its program in 2007 in response to a series of street robberies of undocumented immigrants who carried cash because they lacked access to banks. The victims’ status made them reluctant to report the crimes, said Officer David Hartman, a New Haven police spokesman. New York’s program would be the largest in the U.S., costing $8.4 million when it goes into effect next year, decreasing to $5.6 million annually over the next three years, Mark-Viverito said. The city will seek sponsors to offer discounts and other inducements for residents to carry the card so that its use would expand beyond undocumented immigrants, Mark-Viverito said. Details of how the card would be administered are still being worked out, she said. [Bloomberg] See also: [Barth-Jones: Does De-identification Work?]

Intellectual Property

AU – Australian and Irish Commissioners Agree to Cooperate

The Office of the Australian Information Commissioner (OAIC) and the Data Protection Commissioner of Ireland (DPCI) have signed a Memorandum of Understanding (MOU) to assist each other with investigations and collaborate on consumer and business education, new laws, government and self-regulatory enforcement, staffing and resource issues and information relating to investigations. “Each participant will designate a primary contact for the purposes of requests for assistance and other communications,” the MOU states. In the MOU, the OAIC and DPCI recognize the complexity of the global economy and the wide-ranging circulation of personal information across national borders, increasing the need for cross-border enforcement cooperation. [PS News]

Internet / WWW

WW – Group Developing Open-Sourced IoT Data-Sharing Standard

HyperCat is a project funded by the UK government and comprising the work of more than 40 organizations—including IBM as well as several start-ups and universities—tasked with developing a standard that would allow sensors and devices to share data more easily. The UK’s Technology Strategy Board allotted £6.4 million to the project, and the group hopes it can encourage an open-standards-based Internet of Things framework rather than an ecosystem where data is stored in silos or only available via proprietary formats and application programming interfaces. BT Semantic Technology Head John Davies said, “This will drive commercial use of the hubs and lowers the barrier to participation, particularly for SMEs.” [ZD Net]

WW – Protecting Student Privacy in the Age of Ed Tech

Attorney Bradley Shear discusses the challenges of protecting student privacy in an environment where students regularly use online technology in the classroom. Pointing to the outdated nature of the Family Educational Rights and Privacy Act, Shear writes that an “update to the terms ‘education records’ and ‘personally identifiable information’ to account for the increased capturing of student data in a digital format is needed.” Some states have stepped in with possible solutions, but, according to Shear, “The bottom line is that students, parents, teachers, privacy professionals, lawmakers, state attorneys general, the FTC and the ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.” [Privacy Tracker]

US – EFF Says Opening Wi-Fi Networks Would be a Boon to Privacy

The Electronic Frontier Foundation (EFF) wants people to start opening their home wi-fi connections, saying that the change would actually improve privacy. While some companies have already begun testing this model, they have charged customers for use of their network. The EFF’s plan would be free. The organization says the initiative will boost privacy, sharing connectivity would drive home the point that an IP address is not an individual, and linking illegal activity to an IP address does not mean that the person whose router is running on that address is the culprit. Each link to the router will be encrypted, which will require users to download a certificate. Network owners’ traffic will receive priority. The EFF plans to release firmware for the project next month. [Wired] [ArsTechnica]

US – Turning Private WiFi Routers into Public Hotspots

Over the past year, Comcast started exchanging customers’ home wi-fi routers for models that allow them to be used as public hotspots. The arrangement does not allow passers-by access to password-protected home networks, but is instead intended to allow users with registered Xfinity accounts access wi-fi connections while visiting friends or in public places. The routers do not have a stronger signal, meaning people driving past homes are not likely to piggyback on strangers’ networks. The change means that users do not have to provide visitors with the password to their home network. People who use the Xfinity public network will also be required to sign in with their Comcast customer access credentials. One concern is that vulnerabilities in routers could be exploited to tamper with the devices. [CNN]

US – Postal Service Explores Sensors, Data Collection Via ‘Vehicles, Mailboxes, Machines, Letter Carriers’

The U.S. Postal Service is seeking a company to help develop a program called the Internet of Postal Things. The Risk Analysis Research Center (RARC), part of the Postal Service’s Office of the Inspector General (OIG), is looking for a supplier “who possesses expertise and critical knowledge of the Internet of Things, data strategy and analytics, and the Postal Service’s operations, infrastructure, products and services.” The OIG is exploring ways for the Postal Service to benefit from the technology that provides “virtually unlimited opportunities to collect and process data from any device, infrastructure, machine and even human beings.” [The Weekly Standard]

Law Enforcement

US – Law Enforcement Agencies Using Spyware for Mobile Device Surveillance

Researchers have uncovered a mobile spyware product known as Remote Control System (RCS), which is being sold by an Italian company to police around the world. RCS can intercept and record communications from devices running Android, iOS, Windows Mobile, Symbian, and BlackBerry operating systems. There are at least 320 command-and-control servers for RCS in more than 40 countries. [ComputerWorld] [The Register] [USA Today] See also: [Documents Suggest Illinois State Police Purchased Stingray] and [Law Enforcement Officers Were Purposely Deceptive About Stingray Use | Source]

US – FBI Discloses Data on ‘Backdoor’ Searches of Americans’ Phone Calls, E-Mails

U.S. intelligence revelations include the number of warrantless searches conducted by the Federal Bureau of Investigation (FBI) under Section 702 of the FISA Amendments Act and the FISA Court ruling that allowed for broad surveillance authority over 193 countries worldwide. The FBI sent a letter to Sen. Ron Wyden (D-OR) reporting the NSA last year used 198 e-mail addresses or phone numbers of U.S. citizens to search for data on foreign intelligence. Such a low number, Wyden said, means the FBI should be able to obtain a warrant for each one. The NSA has been granted “a far more elastic authority than previously known,” a newly disclosed 2010 legal certification indicated. [The Washington Post]

US – San Diego Police to Wear Cameras Inside Private Homes

San Diego police officers equipped with cameras on their uniforms will be allowed to record interactions with the public within private homes, Chief Shelley Zimmerman said Wednesday. The chief outlined for the City Council’s Public Safety and Livable Neighborhoods Committee the SDPD policies developed for use of the new cameras. The cameras will always be on during an officer’s shift, recording in 30-second loops so that video of the moments leading up to an interaction will be saved, she said. The officer will activate full video and audio recording before a contact. “Private citizens have a reasonable expectation to privacy in their homes,” Zimmerman said. “However, when an officer is lawfully present inside a home, such as on a warrant, consent or exigent circumstances as examples – in the course of the officer’s official duties – there’s no reasonable expectation of privacy.” The chief said officers will not be required to inform citizens that they are being recorded, but should acknowledge it when asked. They will also not be required to stop recording if a citizen makes a demand, she said. Zimmerman also described situations when officers will not push the record button, including:

  • non work-related activity in a locker room, break room or restroom;
  • when someone is being examined by a physician because of patient-doctor confidentiality;
  • when someone is a victim or witness of a sex crime or child abuse;
  • a peaceful demonstration, until it appears the gathering is about to become unlawful; and
  • victims or witnesses of other crimes so there is no hesitation to share sensitive information.

However, domestic violence victims, who often quickly recant their statements, should be recorded, she said. Kellen Russoniello, of the American Civil Liberties Union of San Diego and Imperial Counties, said the public should be informed upfront about the recording, and should be allowed to obtain a copy. Strong disciplinary procedures are also needed for officers who do not follow the procedures, he said. [City News Service]

Offshore

SG – Personal Data Protection Regulations 2014 in Force July 1st

Singapore’s Personal Data Protection Regulations 2014, effective July 2, 2014, prescribe requirements related to the exercise of rights under the Personal Data Protection Act 2012 (the “Act”) in relation to deceased individuals (the right to give/withdraw consent or bring an action/complaint), and access and correction requests (generally providing for a 30-day timeline for response, and permitting fees only for access requests, not correction requests); provisions concerning the transfer of personal data outside Singapore specify that such transfers comply with the Act if the data is in transit or publicly available in Singapore, the transfer is necessary for a contract, or the transferring organization has obtained individual consent or is required to transfer the data pursuant to a law, contract, binding corporate rules, or other legally binding instrument. [Source]

SG – Data Privacy Ambiguity May Hamper Singapore’s Smart Nation Ambition

It’s been a big week for the Singapore government which unveiled its big plan to become “the world’s first smart nation”, tapping strongly on data sensors and analytics to enable intelligent urban living. However, unanswered questions about the management of such data, which cuts across government agencies and private entities, could prevent Singapore from realizing its smart nation dream. [Source]

Online Privacy

WW – Facebook Added Research Exception to User Agreement Ex-Post

Facebook has added the term “research” to its user agreement approximately four months after its now infamous study on emotional contagion. Some have defended the study, noting that Facebook’s current user agreement explicitly says it can use data for research, but Hill points out critics “were all relying on what Facebook’s data policy says now,” adding it was not until May 2012 that Facebook made changes to its data use policy to reflect research exceptions. A Facebook spokesperson said, “To suggest we conducted any corporate research without permission is complete fiction.” Jaron Lanier writes, “My guess is that the public would choose to outlaw using our communication tools as conduits for secret, algorithmic manipulations of our emotions.” [Forbes] [The New York Times]

WW – Ad Industry Urges Web Standards Group to Abandon Do-Not-Track Effort

The Digital Advertising Alliance (DAA) is calling on web standards group the World Wide Web Consortium (W3C) to stop its Do-Not-Track initiative. “By wading into this public-policy matter, the W3C not only duplicates efforts undertaken by legitimate policy-makers but also strays far beyond its expertise and mission,” DAA Executive Director Lou Mastria wrote to the W3C on Wednesday, adding the DAA wants the W3C “to abandon this effort and to return to its mission of developing consensus around specifications for web technologies.” Turn General Counsel and CPO Max Ochoa said the proposed “tracking” definition will result in “a dramatic concentration of market power in the hands of first parties that … are historically poor stewards of privacy.” [MediaPost News] See also: [EU Article 29 Data Protection Working Party Opines on Tracking Preference Expression]

US – Amazon Phone Transmits Data; LinkedIn Launches Privacy-Guaranteed App

While Amazon’s Fire Phone is fascinating, it’s “probably also the biggest single invasion of your privacy for commercial purposes ever. And no one seems to have noticed.” While the phone is able to identify objects like books, movies and games as well as songs, TV shows and phone numbers, it does so by transmitting pictures and GPS location information to “the company that pretty much invented what we now call big data analytics for customer insights and the largest online retailer in the wild wild west.” Meanwhile, Google’s latest changes to its app permissions are “just wrong,” one blogger says, and LinkedIn has launched a job search app that promises complete privacy. [VentureBeat]

WW – Exploring OnionShare and the Risks of File-Sharing Apps for Organizations

The Electronic Frontier Foundation’s Parker Higgins writes about a newly created one-to-one file-sharing tool—OnionShare—that allows for simple, encrypted data-sharing between two people over the Tor browser. The code for OnionShare is simple, making it difficult for backdoors to be inserted, and avoids using a middleman site, such as Dropbox or Mega. Higgins also argues copyright issues—particularly ones raised by the Motion Picture Association of America and the Recording Industry Association of America—have prevented more file-sharing technology. In a separate story, eSecurity Planet reports 46% of IT security pros say data is leaking from their businesses because of file-sharing services. [WIRED]

WW – BuzzFeed Quizzes: Who Has Your Info?

The popular website Buzzfeed has “shareable quizzes” that have become “an unprecedented opportunity for data-mining.” Analytics expert Dan Barker said that while most websites record some information about you, “Buzzfeed records a whole ton.” And while most of the quiz topics are playful and innocuous, some are not. For example, one quiz asked users whether they’d been raped, attempted suicide or taken medication for mental health, and the site assigns a unique ID to every answer. BuzzFeed says it anonymizes all data and has strict policies to only access data “in the aggregate form.” [Newsweek]

US – Website Analysis Turns Up Slew of Possible COPPA Violations

An analysis of 40 popular children’s websites has found a majority of them “aggressively” tracked users. TRUSTe analyzed the top 10 websites in four categories—pre-school, education , kids’ entertainment and gaming—and found high levels of user tracking. On the 40 websites, researchers found a total of 1,110 third-party trackers from 644 different organizations. “This post-Millennial generation of kids has access to unprecedented levels of technology from an early age,” said TRUSTe CEO Chris Babel. “From toddlers to teens, kids’ online activity is monitored and their personal data is being collected, stored and possibly shared.” [PC Magazine]

WW – Westin Center Unveils First Global Survey of Rapporteurs

Can a privacy statement be valid if the statement is in English and not translated into the official local language of the country in which it’s being read by a consumer? Tough question. To get the answer, the Westin Research Center reached out to rapporteurs from around the world to get answers for 21 different countries in its first global survey of privacy law. [Source]

WW – Beyond Privacy Policies: Why Software Transparency Is Needed

“A privacy policy or transparency statement is a good starting point but, by itself, only expresses aspirations and intentions,” write Ontario Information and Privacy Commissioner Ann Cavoukian and Dawn Jutla of Saint Mary’s University. “It stands to reason,” they add, “that documented and independently verifiable privacy claims should enhance compliance, credibility and trust goals. To achieve this, we need standardized methods and tools.” Cavoukian and Jutla detail how to accomplish this and discuss the work of the OASIS Privacy by Design for Software Engineers Technical Committee. [Privacy Perspectives]

US – Privacy Policies Don’t Inspire Consumer Trust

Responding to the California AG’s recently issued CalOPPA guidance, Andrew Serwin says while transparency is a noble goal, recent research shows that statements made in a privacy policy may not be so important for consumer trust. Serwin discusses the Lares Institute’s recent research finding consumers “did not rank disclosures in a privacy policy as being that important. Indeed, what people read in a privacy policy was seventh out of the 10 reasons people trusted companies with their information,” and only five percent of respondents said reading the policy was the reason they trusted the company. [The Privacy Advisor]

US – HIPAA-Compliance Software Increasingly Popular

With HIPAA audits to increase this year, healthcare organizations are investing in software or services to ensure compliance. HIPAA Secure Now, a risk assessment service, saw website activity grow from 400 to 7,000 hits a month since the HIPAA omnibus rule went into effect in March 2013. Meanwhile, since federal breach reporting requirements took effect nearly five years ago, more than 1,000 medical breaches involving 500 people or more have been reported to HHS. An InsuranceNewsNet article offers five tips on how to avoid HIPAA breaches. [InformationWeek]

Other Jurisdictions

MX – Mexican Congress Expected to Tackle Telecom Bill

After widespread protests halted the advancement of a comprehensive telecoms reform bill, a special session of Congress is expected to debate the bill in the next few weeks. The bill would expand government surveillance powers and allow for network discrimination, taking on similar rules to those proposed by the U.S. Federal Communications Commission. The bill also requires telecoms to retain consumer data for two years. [Access Now]

MX – Mexican Telecoms Bill to Be Taken Up in Special Session

Activist site Access Now reports that a telecoms regulation bill that has been hotly contested among Mexican Internet users is likely to be taken up in a special session of Congress in the next few weeks. The contentious portions of the bill would allow for greater law-enforcement access to data without judicial approval, allow for law enforcement to block phone and Internet access and would allow for so-called “fast lanes,” whereby Internet Service Providers could provide more bandwidth to those companies who pay for it. According to the report, “President Enrique Peña Nieto and his party, the Institutional Revolutionary Party or PRI, was forced to publicly say they would modify the bill.”

RU – Russian Parliament Passes Tax Information Sharing Bill

A bill allowing banks to share data on foreign clients with overseas governments is headed to Russian President Vladimir Putin for his signature. Hundreds of Russian institutions have signed on to comply with U.S. tax law, even given the risk of fines. The U.S. Foreign Account Tax Compliance Act requires foreign financial institutions to share information on Americans’ accounts with balances upwards of $50,000 with the U.S. Internal Revenue Service. [Reuters]

AU – Pilgrim on Australia’s Privacy Act Changes in Practice

Looking at the complexity of the Privacy Act changes that went into effect on March 12, Australian Privacy Commissioner Timothy Pilgrim discusses what those changes mean in daily life. Companies, Pilgrim states in the report, must now “be open and transparent about what they do with personal information—why they’re collecting it, how they’re going to collect it from you, the types of information they want to collect, how they’re going to use it, who they might disclose it to and how they’re going to protect it.” Companies must also make privacy policies “easily understandable and readable,” the report states, noting the Office of the Australian Information Commissioner “can enforce these changes if they see fit and is examining further policies to ensure readable policies become a reality.” [The Sydney Morning Herald]

CN – Is China’s Privacy Law Being Used to Quell Dissent?

Chinese officials arrested prominent human rights lawyer Pu Zhiqiang, according to a Reuters report, on “suspicion of the crimes of causing a disturbance and illegal access to the personal information of citizens.” The charges carry penalties of five and three years in prison, respectively. Pu was arrested at a private gathering commemorating the 25th anniversary of the Tiananmen Square protests, in which he took part. He has represented artist Ai Weiwei and other activists who have been a thorn in the side of the Chinese government. In a piece for The Washington Post, former NSA General Counsel Stewart Baker suggests the Chinese are using privacy law as a means to quell dissent. Further, “How is China’s privacy law different from the data protection laws that Europe has been urging the world to adopt?” [Reuters]

AU – Australian Gov’t: Breach Legislation Needs More Work

Although agreeing with the proposal in principle, the government will not support a bill to force companies to notify customers of data breaches because the legislation “needs more work.” In March, Sen. Lisa Singh reintroduced the lapsed Privacy Alerts Bill, which seeks to compel organisations that suffer data breaches involving such information as personal, credit or tax file number data to notify the privacy commissioner and individuals affected “as soon as possible,” the report states. Senators raised concerns about reintroducing a bill without updating the text from the prior bill. “Definitions are important. It’s not something we should just be rushing through,” said Liberal Senator David Fawcett. [IT News]

AU – Australian and Irish Commissioners Agree to Cooperate

The Office of the Australian Information Commissioner (OAIC) and the Data Protection Commissioner of Ireland (DPCI) have signed a Memorandum of Understanding (MOU) to assist each other with investigations and collaborate on consumer and business education, new laws, government and self-regulatory enforcement, staffing and resource issues and information relating to investigations. “Each participant will designate a primary contact for the purposes of requests for assistance and other communications,” the MOU states. In the MOU, the OAIC and DPCI recognize the complexity of the global economy and the wide-ranging circulation of personal information across national borders, increasing the need for cross-border enforcement cooperation. [PS News]

HK – Chiang Supports Right to be Be Forgotten in Hong Kong

Following the EU’s “right to be forgotten” ruling, Hong Kong Privacy Commissioner Allan Chiang “will ask his regional counterparts to join him in pressing the Internet search giant to extend the same safeguards to the region.” Chiang said, “As a responsible enterprise, Google should also entertain removal requests from other parts of the world to meet their privacy expectations … We are not exercising a legal right but requesting a service that is available to EU citizens.” In a separate report, SCMP quotes a Hong Kong cryptography expert on the increased “interest in open-source cryptographic tools“ since the Edward Snowden revelations. [South China Morning Post]

AU – Commissioner: Policies Needed for Wearables at Work

With wearable devices sure to make it into the workplace, Privacy Commissioner Timothy Pilgrim is encouraging companies to develop policies addressing the use of such devices. For devices that collect personal information, Pilgrim said, “the policy could also outline how that information is used, disclosed and stored.” The report suggests organisations “develop their own enterprise-grade privacy policies to ensure employees are at ease working with and around wearable computers,” noting there has been a lack of discussion “on the impact wearables will have on employee privacy and how organisations can deal with this challenge.” [The Sydney Morning Herald]

NZ – Business NZ Drops Breach Notification Objection

Lobbying group Business NZ has dropped its objection to Justice Minister Judith Collins’ call for organisations to inform the Office of the Privacy Commissioner in data loss incidents and to inform those affected in “serious” breach cases, Fairfax NZ News reports. Phil O’Reilly said issues the group would have with a change in New Zealand law would be in such details as defining what constitutes a “serious” breach, the report states, noting “BusinessNZ would object if officials implemented the law change in an ‘impractical fashion,’ but O’Reilly did not believe that was likely.” [BusinessNZ]

Privacy (US)

US – Supreme Court: Google Must Face Lawsuit Over ‘Street View’ Privacy Invasions

The Supreme Court decided it will not hear Google’s challenge to an appeals court ruling requiring the company to face a class-action lawsuit alleging it illegally spied on users from 2008 to 2010 in order to bolster its Street View data. The Supreme Court ruled the Wiretap Act covers data on unencrypted, in-home WiFi data, which Google collected as part of its Street View project. Last year, Google reached a settlement with 38 U.S. states and the District of Colombia, agreeing to pay $7 million and destroy the data it collected in the U.S. [Venture Beat] See also: [Maybe SCOTUS Gets Tech After All]

US – Privacy Groups Write Letter Against CISA

A group of 22 privacy groups wrote a letter to the Senate Intelligence Committee warning of the increased surveillance that would come with the Cybersecurity Information Sharing Act. Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) and Vice Chairman Saxby Chambliss (R-GA) introduced the bill, which has been called a rehash of their failed bill CISPA. The letter said the bill doesn’t appropriately restrict data-sharing and includes broad definitions of cyber threats and a failure to protect personally identifiable information. [The Hill]

US – Federal Judge Rules SC Law Banning Political Robocalls Unconstitutional

U.S. District Court Judge Michelle Childs has ruled that a South Carolina law banning political robocalls is unconstitutional. Basing her decision on the First Amendment, Childs noted the government should not use content—importantly, political speech—to ban robocalls. A Columbia-based media attorney noted, “Political speech has the highest level of protection under the First and Fourteenth Amendment, and the court’s ruling is certainly consistent with the notion that a content-based restriction on political speech can be constitutional only if it serves a compelling governmental interest and no less-restrictive alternative exists.” [SC Now]

US – FTC Launches Contest at DEF CON to Find Robocall Solution

The FTC receives more than 150,000 complaints about robocalls every month, but it’s determined to find a technological solution and is tapping one of the world’s largest hacking conferences to find answers. It will hold a contest at DEF CON 22 in Las Vegas, NV, this August “to inspire the next generation tech solution in the fight against illegal robocalls,” according to the FTC’s blog. “Unfortunately, the technical distinctions between a telephone call and an e-mail have made it difficult to use Internet security tactics in the battle against robocalls,” the blog says, but the contest will hopefully change that. [FTC]

US – SCOTUS Unanimously Rules Warrants Needed for Cell Searches

In a developing story, the Supreme Court of the United States has unanimously ruled that law enforcement must obtain a warrant prior to searching the contents of a suspect’s mobile phone. Chief Justice John Roberts wrote, “To further complicate the scope of privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself,” adding, “Treating a cellphone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter.” Roberts also wrote, “We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime … Privacy comes at a cost,” but the justices reserved the right for police to claim “exigent circumstances.” [Full Story] [Court defends ‘21st-century mobile castles’: U.S. ruling protects cellphone privacy and ‘bodes well’ for Canada]

US – What the SCOTUS Cellphone Decision Means Going Forward

With the proliferation of smartphones and other electronic devices, courts have struggled to apply old Fourth Amendment principles to modern technologies and the digital data they hold. Now, by and large, that struggle is over. The change came through an unexpected vehicle: Riley v. California. Yesterday, the Supreme Court decided in a surprising 9-0 decision that police officers must now obtain a warrant before searching the digital information on the cellphone of an arrestee. The court’s ruling in Riley signals an important shift in the notion of privacy as it relates to digital information. IAPP Westin Research Fellow Dennis Holmes analyzes the decision and its implications for Privacy Tracker. [Full Story]

US – U.S. May Extend Privacy Right of Redress to Europeans

The U.S. government may extend to Europeans a privacy right in the U.S. that EU citizens have at home, according to a European Commission press release. A welcoming statement from EU Justice Commissioner Viviane Reding noted U.S. Attorney General Eric Holder said the U.S. intends to “take legislative action in order to provide for judicial redress for Europeans who do not live in the U.S.” Reding said this action could remove a major obstacle in negotiations between the two regions. “This is an important first step towards rebuilding trust in our transatlantic relations,” Reding said, adding, “Now the announcement should be swiftly translated into legislation so that further steps can be taken in the negotiation. Words only matter if put into law. We are waiting for the legislative step.” [Full Story]

US – Competitors Put Differences Aside to Fight Microsoft Case

Apple, Cisco and AT&T all filed amicus curiae briefs supporting Microsoft in its appeal of a federal court order to turn over a customer’s information stored in a data center in Ireland to U.S. law enforcement officials. Verizon filed an amicus brief last week. “The case highlights how the advent of cloud computing has technology companies overcoming their competitive differences in order to challenge troublesome data protection laws,” the report states. The companies say the court’s reasoning indicates, no matter where it is stored in the world, customer data isn’t safe from law enforcement’s grip. [GigaOM]

US – Tech Giants Back Spokeo in Privacy Class-Action

A group of web companies have joined together to back Spokeo in fighting a class-action lawsuit alleging the company provided inaccurate data. Google, Yahoo, Facebook and eBay are pushing the Supreme Court to hear Spokeo’s appeal of a recent decision allowing a Virginia resident to sue the data broker for allegedly violating the Fair Credit Reporting Act. In an amicus brief, the tech companies argue such “no-injury” lawsuits are producing an “increasingly negative impact” on their business. “If any of the millions of individuals who interact with (web companies) is willing … to allege that a generalized practice or act violated a law providing a private cause of action and statutory damages, then she could launch a putative class action,” the companies write. [MediaPost News] [Spokeo, Inc. v. Thomas Robins – Brief for Amici Curiae eBay Inc., Facebook, Inc., Google Inc., and Yahoo! Inc. in support of Petitioner – In the Supreme Court of the United States]

US – Judge Rules Carrier IQ Privacy Lawsuit Must Move Forward

U.S. District Court Judge Edward Chen has ruled that a privacy lawsuit against Carrier IQ must move forward. Chen wrote he was “not convinced” that allowing the case to continue would cause “irreparable injury” to the company. In 2011, Carrier IQ was accused of logging users’ keystrokes on mobile phones. Chen also suggested that the involved parties could resolve the issue through mediation and directed them to proceed with discovery. In the meantime, Chen scheduled the next conference for mid-November. [MediaPost News]

US – Markey Wants Privacy Protected Before Commercial Drones Take Flight

Sen. Ed Markey (D-MA) proposed a funding bill amendment to prohibit the Federal Aviation Administration (FAA) from approving nonmilitary drone use unless steps are taken to protect personal privacy. The amendment would require the FAA to add a data collection mechanism to its application process for commercial drone use that would specify the drone operator, the location where the drone would be flown and what type of data would be collected, along with what would happen to it afterwards, the report states. “We need to build in strong personal privacy protections and public transparency measures before commercial drones take off, which is exactly what my amendment will do,” Markey said. [The Hill]

US – House Has Enough Votes for ECPA Reform

The E-mail Privacy Act gained its 218th cosponsor this week, enough to give lawmakers hope the reform could move forward this year. “Having a majority of House members supporting our bill shows House leadership that the bill would pass … if it was put on the House floor,” said one of the bill’s authors, Rep. Kevin Yoder (R-KS). The proposed legislation would reform the Electronic Communications Privacy Act. There are signs, according to the report, that other lawmakers may have “some interest in attaching additional components,” including restrictions on law-enforcement access to cellphone location information. Though Yoder conceded that he’d be flexible with add-ons, he warned, “The more things you add … the more challenging it becomes.” [The Hill]

US – Changes to Incident Reporting; Potential New Legislation

The “Morning Cybersecurity” report from Politico had a number of items of interest. First, they report on an update from US-CERT that will change the system for reporting cybersecurity incidents on federal networks. It’s expected to go into effect by October 1. Further, Rep. Lee Terry (R-NE) is expected to circulate a federal data breach bill this week, which would go before the House Energy and Commerce Committee. He’s looking for democratic cosponsors before bringing the bill forward. In other legislative news, the FY15 State and Foreign Operations Appropriations bill supports funding to continue for implementing the White House’s International Strategy for Cyberspace. Finally, there is a note on YouTube and its 38,000 instructional videos on obtaining stolen credit card numbers, discovered by the Digital Citizens Alliance. [Politico]

US – Judge Rules LinkedIn Must Face Privacy Lawsuit

Professional services social network LinkedIn must face a privacy class-action lawsuit alleging the company violated its users’ privacy when it accessed their external e-mail accounts, downloaded their contacts’ e-mail addresses and solicited business from those contacts. U.S. District Court Judge Lucy Koh said the practice “could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network,” adding, “In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘we will not … e-mail anyone without your permission,’ LinkedIn may have actively led users astray.” [Reuters]

US – Tech Sector Approves of New Majority Leader

Newly appointed House Majority Leader Kevin McCarthy (R-CA) is receiving praise from much of the tech sector. “Few members of Congress have as deep an understanding and appreciation for the economic impact and social change created by technology as Leader McCarthy,” said TechNet Chief Executive Linda Moore, who added, “he knows what public policies make the innovation economy thrive.” TechNet’s members include Apple, Google, Facebook and Microsoft. [The Hill]

US – State Working on Privacy Changes; New Social Network for Students, Teachers

The Louisiana Board of Elementary and Secondary Education (BESE) is expected to appropriate $1 million toward an effort to create a new identification system for public school students that doesn’t use Social Security numbers. A recently passed bill requires schools to use unique student IDs. The BESE president said, “This goes to the benefit of every single family and every single student of this state.” Meanwhile, Wired reports on Edmodo, a social network built specifically for primary and secondary students and teachers that offers new ways for teachers to assess students and trade tips. Cofounder Nic Borg said, “K-12 is an incredibly change-resistant system, and to be disruptive, you have to do it in the least disruptive way possible.” [Associated Press]

US – Hearing Features Debate on Student Data Mining, FERPA Reform

During a joint House subcommittee hearing on student privacy, experts, industry, regulators and lawmakers explored and debated the current state of federal student privacy laws in the digital age. Overall, there was quite a bit of agreement on moving forward with student privacy issues—including greater participation by states and the need for more legal counsel in drafting contracts between school districts and vendors—but panelists did not agree on the existing scope of the Family Educational Rights and Privacy Act and whether a federal mandate updating the statute is necessary. [The Privacy Advisor].

US – Lofgren: Congress Has No Appetite for Consumer Privacy Bill

Rep. Zoe Lofgren (D-CA) has said she does not see Congress moving forward with consumer privacy legislation any time soon, The Hill reports. “We’re not doing that,” she said, adding, “Do you see any appetite to do that? No.” At this point, Congress is focused on government surveillance reform. “People have an interest in privacy overall,” she noted, “but Yahoo can’t arrest you.” [Full Story]

US – Federal Breach Law Not Likely, Especially with Cantor Defeat

Kentucky recently became the 47th state to enact a breach notification law. One of the bill’s sponsors pointed to its success as a way “to be in uniformity with other states, especially the big commerce states that you think of, like Texas, New York and California,” adding, “That uniformity helps our business community here.” However, Joseph Lazzarotti, head of Jackson Lewis’ privacy, social media and information management practice, notes, “The nuances of breach notification laws across the country … further complicate responding to multi-state breaches.” The “toxic atmosphere in Congress” means “a data breach notification measure and other cybersecurity reforms can’t get passed,” noting that the defeat of House Majority Leader Eric Cantor in his state’s primary race “makes passing such a bill tougher.” [BankInfoSecurity]

US – Sixth Circuit Clarifies “Development” in Dirty World Decision

The Sixth Circuit has overturned a lower court ruling that determined a website provider was liable under Section 230 of the Communications Decency Act for defaming comments made on the site. The district court ruled against Dirty World Entertainment, saying, ““a website owner who intentionally encourages illegal or actionable third-party postings to which he adds his own comments ratifying or adopting the posts becomes a ‘creator’ or ‘developer’ of that content and is not entitled to immunity.” The Sixth Circuit, however, interpreted the term “development” using the “material contribution test” and sided with the defendant, saying it “cannot be found to have materially contributed to the defamatory content of the statements … simply because those posts were selected for publication” or “through the decision not to remove the posts.” [News Room Legal]

US – Data-Flow Restrictions Topic at Presidential Meeting

President Barack Obama’s Export Council hosted a meeting that included discussion on the effect foreign laws are having on cross-border data flows. Private-sector members submitted to Obama a recommendation letter detailing concerns about data flow restrictions in other nations and how other governments are implementing “digital protectionism.” The report states, “These foreign laws may limit the ability of American businesses, particularly small- to medium-sized businesses, to expand their business operations to include countries that enact such measures.” [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Is Self-Regulation the Way Forward for Privacy?

A few weeks back, as part of the European Commission’s Digital Agenda for Europe, the Community of Practice (CoP) held its second-ever meeting to explore co- and self-regulatory best practices, and, today, the Council of Better Business Bureaus (BBB) is holding its first-ever meeting to develop self-regulatory best practices. The BBB’s Genie Barton said, “as far as I know, it’s the first private-sector conference on self-regulation writ large in the U.S.” This exclusive for The Privacy Advisor looks into both events and explores the role self-regulation has in privacy, including insights from Barton, the CoP’s Robert Madelin, FTC Commissioner Maureen Ohlhausen, National Consumer League’s Sally Greenberg and the Future of Privacy Forum’s Joshua Harris.

US – Lawyers Given Green Light to Scan Social Media Sites of Jurors

Lawyers have been given the green light to scan the social media sites of jurors. The American Bar Association says it’s ethical for lawyers to scour online for publicly available musings of citizens called for jury service—and even jurors in deliberations. But the ABA does warn lawyers against actively “following” or “friending” jurors or otherwise invading their private Internet areas. The “formal opinion” was issued in April and will serve as an ethical guideline for the nation’s lawyers. The ABA’s ethics committee began reviewing the issue about two years ago and concluded that looking at Facebook posts, Twitter tweets and other information gathered passively is ethical research. [The Associated Press]

US – Court Rules Against Wyndham in FTC Challenge

Court denies a hotel company’s motion to dismiss a lawsuit against it, holding it liable for a data breach suffered by a subsidiary – the claim sufficiently alleges that the company and its subsidiaries were operating as a common enterprise with respect to the use of computer systems that were not subject to reasonable safeguards and sufficiently identifies that on behalf of its subsidiaries, the company created the information security policies, and provided oversight for the IT and security functions. [FTC v. Wyndham Worldwide Corporation – 2014 U.S. Dist. LEXIS 84913 – United States District Court for the District of New Jersey]

Privacy Enhancing Technologies (PETs)

WW – Blackphone Reviewed: Little If Any Data Leakage

Dubbed the “Android for the paranoid,” the Blackphone runs an operating system called PrivatOS and is the first consumer-grade smartphone to be built explicitly for privacy. It employs services and software aimed at protecting users’ digital information in a straightforward way. The phone is the product of collaboration between Silent Circle and Geeksphone. the phone appears to live up the hype; user testing indicated “little if any data leakage that would give any third-party observer anything usable in terms of private information.” [Ars Technica]

US – $30 Million Investment Will Test Encryption’s Ease of Use

In one of the largest investments in consumer-privacy technology, encrypted messaging app Wickr has now received $30 million from venture capitalists. The service uses proprietary encryption for messaging, and, in a post-Snowden world, the service is enticing for many. However, some say it’s difficult to create encryption that is foolproof and easy to use. In the coming months, Wickr also plans to expand its services into paid offerings—including video communication. One of the main investors said, “There is room for what Wickr is doing to greatly enhance the effectiveness and the utility of messaging.” [The Wall Street Journal] Meanwhile, the Massachusetts Supreme Judicial Court ruled that a criminal suspect can be ordered to decrypt his seized computer.

WW – Introducing: Connect in Private

Like a lot of tech start-ups, Connect in Private has designs on changing the world. The unique angle in this case involves a patent the company has recently been granted for certificate-less, authenticated, encryption technology, or CLAE. “Current encryption is certificate-based,” said Alexander Hanff, a long-time privacy advocate who’s been brought on board as Connect in Private’s CPO. “That creates an issue because many of the certificate authorities are susceptible to secret court orders in the U.S. The beauty of CLAE is that it allows for identity-based encryption without the need for certificate authorities.” [The Privacy Advisor]

WW – Browser Add-on Aims to Decipher Privacy Policies

Privacy-focused companies Disconnect and TRUSTe have worked together to develop a browser add-on that translates website privacy policies into easily understandable language. The product, Privacy Icons, analyzes privacy policies, describing them in nine categories, including data retention, location tracking, expected use of data, and vulnerability to Heartbleed. Each category is accompanied by an icon that is colored, green, yellow, or red to indicate levels of concern about the site’s policy. The average website privacy policy is 2,400 words long and is written at a college student reading level. The pay-whatever-you-want add-on is currently available for Chrome, Firefox, and Opera. Versions for Safari, Internet Explorer, and mobile browsers will be available soon. [ComputerWorld] [DisConnect.Me]

WW – Disconnect, TRUSTe Unveil Privacy Icons

Consumer privacy software developer Disconnect, together with TRUSTe, has unveiled Privacy Icons, software intended to help consumers easily understand how websites collect and process their data. “Not many people read privacy policies,” said Disconnect Cofounder Casey Oppenheim in a press release. “But these are legally important documents that communicate what’s going on with your personal information. Privacy Icons translates these complicated policies into terms people can easily understand, including how their data is collected, shared and protected by the websites they visit and the services they use.” [Disconnect.Me]

EU – German Publisher Buys Into French Privacy Search Engine

German publisher Axel Springer has reportedly bought a minority stake in French search engine company Qwant—a privacy-conscious search engine. Qwant categorizes results into columns for web, news, social and shopping, among others. “We want to use the knowledge of Qwant and to make an exchange of ideas to see how search works,” said Axel Springer’s Michael Schneider. The publisher’s CEO recently sent an open letter to Google Chairman Eric Schmidt on “why we fear Google.” [GigaOM]

WW – Hackers Use Snowden Leaks to Reverse-Engineer NSA Surveillance Devices

Edward Snowden’s document leaks gave security researchers the necessary insights to develop their own. After the NSA’s classified Advanced Network Technology catalogue was published, Michael Ossmann and his team set about recreating two of its approved radio-based surveillance devices: one that could be fixed to a computer’s monitor connector to send on-screen images and another that can be fixed to a keyboard cable to collect keystrokes. Before, nobody knew how the so-called “retro reflectors” worked, but armed with NSA documentation, Ossmann and co. were able to create their own tiny transistor-sized devices that could surreptitiously transfer wireless data to a nearby radio point (much like the NSA is reported to have done). For reference: intelligence officers can use radio-based trackers to monitor computers that are not connected to the internet. Now that the NSA tech is no longer a mystery, Ossmann intends to educate others about how the NSA’s bugs operate so they can be protected against in the future. He’s due to present his findings at the Defcon hacking conference in Las Vegas in August, alongside many other experts who have found ways to expose and rebuild the agency’s technology. [engadget.com]

Security

WW – Anti-Hacking Org: Industry Data-Sharing Is Needed

The U.S. National Cybersecurity and Communications Integration Center, now with the backing of Capitol Hill, is set to improve its role as the coordinator between U.S. banks, utilities and other critical infrastructure organizations to thwart cyber attacks. “If we don’t know what’s going on, we can’t respond to it,” said the center’s director, Larry Zelvin. Lawmakers are crafting legislation to allow businesses that share threat data with the center to not be liable. Privacy advocates are concerned, however, that the system would expand surveillance practices of U.S. intelligence agencies. Plus, Juniper Networks Vice President of Government Affairs Robert Dix said, “There are a lot of people in industry that frankly are not comfortable sharing” with the Department of Homeland Security. [Bloomberg]

US – Study Shows Benefits of CISO Reporting to CEO

CSO Online Publisher Bob Bragdon cites findings of the 2014 Global State of Information Security Survey that support the idea that the CISO should report directly to the CEO. Organizations in which the CISO reported to the CIO had 14% more downtime than those in which the CISO reported to the CEO. Companies in which the CISO reported to the CIO had higher financial losses. “In fact, having the CISO report to almost any other position in senior management other than the CIO reduced losses from cyber incidents.” The study gathered information from more than 9,000 respondents. [CSO Online]

WW – Ten Ideas for Improving Cyber Security

Ten cyber experts’ best ideas for thwarting digital security threats include changing the way we think about security and being proactive about protecting sensitive data; encouraging transparency from cloud services about data handling; making better use of encryption; developing systems that present smaller attack surfaces; developing a new secure network for critical infrastructure; and establishing privacy and data security regulation and enforcement for companies. Most acknowledged that there are no easy and quick fixes. [Forbes]

WW – Start-Up to Accelerate Smart Home Products; Nest Purchases Dropcam

Quirky is a start-up that fields and produces new product ideas, but its founder and CEO Ben Kaufman has realized that, increasingly, approximately one in four product pitches are for connected devices for the home. “The Internet of Things is still for hackers, early adopters and rich people,” he said, but his company plans to accelerate the adoption of smart home devices. Quirky will spin off a new company called Wink, dedicated exclusively to providing an operating system to integrate all kinds of automated home devices. Meanwhile, Nest, which was recently purchased by Google, will buy home-monitoring camera start-up Dropcam for $555 million. [The New York Times] See also: [You’ve Got a Connected Home: What Could Go Wrong?]

Surveillance

US – US Legislators Approve Measure to Cut Funds for NSA Backdoor Installations

The US House of Representatives has approved a measure that would strip funding from NSA surveillance programs that involve placing backdoors on IT equipment. The measure, an amendment to the Department of Defense Appropriations Act 2015, would also forbid access to citizens’ Internet communications under Section 702 of the Foreign Intelligence Surveillance Act, without a warrant. [CNET]

US – PCLOB to Release Report on Foreigner Spying

The Privacy and Civil Liberties Oversight Board will next week release its report on the NSA’s collection of foreigners’ data. The report will “contain a detailed analysis” of surveillance programs targeting foreigners, which the government has said are legal under Section 702 of the FISA Amendments Act. Meanwhile, a coalition of privacy groups has released a “Congressional Scorecard” that assigns lawmakers a grade based on their support for surveillance reform; the Office of the Director of National Intelligence has released its first annual report on U.S. surveillance programs, and the new NSA chief says the damage done by the Snowden revelations does not mean “the sky is falling.” [The Hill]

CN – Is Privacy Law Being Used To Quell Dissent?

Chinese officials arrested prominent human rights lawyer Pu Zhiqiang last week on “suspicion of the crimes of causing a disturbance and illegal access to the personal information of citizens.” The charges carry penalties of five and three years in prison, respectively. Pu was arrested at a private gathering commemorating the 25th anniversary of the Tiananmen Square protests, in which he took part. He has represented artist Ai Weiwei and other activists who have been a thorn in the side of the Chinese government. In a piece for The Washington Post, former NSA General Counsel Stewart Baker suggests the Chinese are using privacy law as a means to quell dissent. Further, “How is China’s privacy law different from the data protection laws that Europe has been urging the world to adopt?” [Reuters]

Telecom / TV

EU – Germany to Drop Verizon Contract Over Spying Fears

The German government plans to drop a contract with Verizon because of fears about U.S. government surveillance. Tobias Plate, a spokesman for the German Interior Ministry, said Berlin has decided not to renew the contract for Verizon to provide Internet service to several government departments, the report states. “There are indications that Verizon is legally required to provide certain things to the NSA, and that’s one of the reasons the cooperation with Verizon won’t continue,” Plate said. Verizon’s current contract will expire in 2015. [The Hill] [The Register] [ZDNet]

US – DAA Unveils Mobile Privacy App

The Digital Advertising Alliance (DAA) announced it has created a mobile privacy app that enables users to opt out of behavioral advertising on mobile devices. The tool will also allow users to pick and choose which ad networks and third parties to avoid. “It’s about getting this in front of the DAA participants and showing them what it looks like,” said DAA Managing Director Lou Mastria, adding the group will “be doing a bigger push” to market the app when it becomes available to consumers this fall. [MediaPost News] See also: [So, Your Site’s Secure. What About Your App?]

US Government Programs

US – GAO: Small Gov’t Agencies Lack Cybersecurity

A recent report from the Government Accountability Office (GAO) finds that policy gaps leave small federal agencies—those with 6,000 employees or less—unprepared for cybersecurity risks. GAO’s analysis of six small agencies, which found “policies and procedures related to information security and privacy often needed an update, were incomplete or missing entirely.” For the analysis, the agencies were scored against 11 security and privacy elements taken from various laws and guidance documents, including the Privacy Act of 1974 and the Federal Information Security Management Act. [FierceGovernmentIT] [download the report, GAO-14-344]

US – Audit: USPS Fails to Observe Safeguards with “Snail Mail Snooping”

While digital surveillance has been stealing the headlines lately, the U.S. Postal Service (USPS) has been failing to comply with key safeguards on “snail mail.” An Office of Inspector General audit of “mail covers”—orders to record addresses or copy the outside of mail sent to a particular individual or address—were not properly approved, and 13% were “either unjustified or not correctly documented.” Additionally, the audit uncovered that some of the safeguards to catch such violations were not being implemented since the USPS was not conducting the required annual reviews. Former White House Privacy Director Tim Edgar called the audit’s findings “troubling.” [Politico] [Redacted version of report]

US Legislation

US – U.S. Reps. Introduce SSN Protection Bill

Reps. Dennis Ross (R-FL) and Kathy Castor (D-FL) have introduced the Safeguarding Social Security Numbers Act of 2013, a bill to protect Social Security numbers by limiting the number of visible digits. “Identity theft is a serious issue in our community … More needs to be done to protect our neighbors, and this is bipartisan legislation to implement an important safeguard and reduce identity theft-related scams,” said Castor. [Sunshine State News]

US – Feinstein Releases Draft Information Sharing Bill

Senate Intelligence Committee Chairman Dianne Feinstein (D-CA) has released a draft of the Cybersecurity Information Sharing Act, which she wrote with the Committee Vice Chairman Saxby Chambliss (R-GA). The bill creates incentives for private organizations to share cybersecurity threat information with the government and within public agencies. It would provide liability protection for the sharing of cyber information for cybersecurity reasons under the terms of the bill and then sets out protections to stave off privacy intrusions, such as a requirement for companies to strip out personally identifying information before sharing data. [Sierra Sun Times]

US – Florida Governor Signs Breach Notification Law

Florida Gov. Rick Scott has signed a revised data breach notification law that strengthens consumer protections. The law includes a 30-day deadline on notification from the date of discovery of the incident, adds account credentials to the list of data that constitutes “personal information” and imposes a statutory requirement to protect that information, among other changes. [National Law Review]

US – Louisiana Gov. Signs Student ID Bill

Louisiana Gov. Bobby Jindal has signed HB 1076, meaning that public school students in the state will get unique ID numbers instead of having Social Security numbers tied to academic records, and districts will have to get parental consent before collecting certain student data. The state has until May 1, 2015, to put in place a system for unique IDs, and all public school students will have a number by June 1. [The Advocate]

US – New Jersey “Ban the Box” Heads to Gov.

New Jersey legislators have passed The Opportunity To Compete Act, which limits employers’ ability to conduct criminal background checks. Employers would be required to make a conditional offer to applicants prior to conducting such checks and would be subject to a $1,000 fine for a first offence and increasing to $10,000 upon a third offence. [NJBiz]

US – North Carolina Legislature Passes Student Privacy Bill

The North Carolina legislature has unanimously passed SB 815, which would require the state Board of Education to make information about the student data system available to the public and ensure the protection of personally identifiable information in the system. Sponsored by Sen. Chad Barefoot (R-District 18), the bill would also restrict the collection of biometric information and certain sensitive information and require notification of parental rights and opt-out opportunities. The bill now heads to Gov. Pat McCrory for a signature. [Lincoln Times-News]

US – Connecticut Gov. Signs Pharmacy Rewards Program Bill

Connecticut Governor Dannel Malloy has signed into law a bill requiring pharmacies to notify customers that take part in prescription drug rewards programs about which third parties will have access to their data and whether they will have access to protected health information. The law requires pharmacies to provide a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers enroll and information on how they may revoke their HIPAA authorization. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Kentucky State Rep. Pre-files Drone Privacy Bill

State Rep. Diane St. Onge (R-District 63) has reintroduced a bill requiring police to obtain a warrant before using drones to gather evidence. St. Onge pre-filed the bill for the 2015 session and has received support from the American Civil Liberties Union and others. The bill allows for colleges and private businesses to use drones for research and business purposes and allows for emergency police use other than evidence-gathering. [USA Today]

Workplace Privacy

US – Employers Increasingly Monitoring Employees

Digital tools being used to monitor employees. In one positive example, a company learned workers are more productive if they have social interaction, so it introduced a 15-minute coffee break, resulting in reduced turnover and increased productivity. But fine-grained digital monitoring of worker behaviors concerns advocates like the Electronic Frontier Foundation’s Lee Tien, who said the rules on such surveillance are few. A Harvard researcher recently found that worker surveillance aimed at increasing productivity can sometimes have the opposite effect. Meanwhile, a new online service helps job candidates tidy up their Facebook and Twitter accounts before applying for jobs. [The New York Times]

ON – Workplace Safety Insurance Board (WSIB) Steps Up Spying On Clients

Documents obtained by Torstar News Service suggest the WSIB is spying on clients claiming to be seriously injured, now more than ever and often without cause. “Now that we are conducting more surveillance related to misrepresentation of level of disability where we don’t have an actual allegation, e.g. call record, there have been lots of questions from compliance specialists around what constitutes sufficient grounds to warrant surveillance,” states a 2011 internal email from Bob Thomas, an employee in the WSIB’s regulatory services division. Those “sufficient grounds,” according to the email, include dozens of indicators such as chronic pain, language barriers and problems speaking to an injured worker directly, frequent change of phone number or address, recovery times that are inconsistent with usual healing times, anti-social behaviour or overreaction and psychological problems. Other “red flags” for fraud, as the board refers to them, include forms returned by someone else or not signed, an unreasonable distance travelled by the worker to see a doctor, a worker who is “never home, returns calls after hours, noise in background” or who has a “first medical treatment from chiropractor.” The documents were obtained by the IAVGO Community Legal Clinic through a freedom of information request after surveillance was used to reduce the benefits of eight clients. [Source]

NO – Privacy Appeals Board, Norway – Decision on Employee CCTV Surveillance

The Board overturns the data protection authority’s prohibition on a company’s video and audio monitoring of its employees and a fine of NOK 200,000 (approximately USD 32,556) imposed under the Personal Data Act and the Personal Data Regulations); the monitoring is permitted provided that the cameras are not configured to gain access to staff areas via VPN (having IT equipment that can be accessed via the internet does not constitute a violation as long as the link is appropriately secured), cameras in an equipment room are permitted because the company’s interests outweigh privacy considerations (suspected employee misconduct), and the company does not have to erase secret audio recordings (the manual recordings are not searchable and some employees have been subjected to serious threats). [Source]

+++

01–15 July 2014

Biometrics

US – FBI Facial Recognition Not on Par with Facebook?

The FBI is planning to deploy its own facial recognition system, which will centralize millions of photos in one federal database, this summer and to have it reach all 50 states by year’s end. But the Electronic Frontier Foundation has found the system, called Next Generation Identification, isn’t as efficient as may have been expected. Facebook’s DeepFace system, however, operates at 97% accuracy, meaning “the nation’s most powerful law enforcement agency is getting outgunned by a social network.” One biometrics expert says while plenty of facial-recognition contractors promise near-human capabilities, “the difference between a human brain and a computer brain is huge.” [The Verge]

WW – New Google Glass App Reads Brainwaves, Translates Them to Action

A new app aims to kickstart a more seamless way of interacting with Google Glass. MindRDR links with Google Glass with a biosensor—which is mounted on the user’s head—to create a “communication loop.” The biosensor picks up on brainwaves that correlate to the user’s ability to focus. Then, those brainwaves are translated to a meter reading that “gets superimposed on the camera view in Google Glass. As you ‘focus’ more with your mind, the meter goes up, and the app takes a photograph of what you are seeing in front of you,” the report states. The technology may be used to train people to concentrate better or for medical applications for users with mobility problems, among other uses. [Tech Crunch]

CA – Facial Recognition with Biometric Encryption in Match-on-Card Architecture for Gaming and Other Computer Applications

A facial recognition system with biometric encryption using match-on-card (“MOC”) technology has the following advantages – the MOC technology allows the secure storage and processing of biometric data within a tamper-resistant secure module of a device which is in the user’s possession (including smart cards, USB flash drives, and certain types of smartphones), the system cannot be linked with other databases that store biometric keys (“BK”) since a BK generated for the same user will be completely different, the host stores a BK that is generated from a biometric that cannot be reverse engineered, and the smart card cannot be loaned to another user because the BK will not be valid. [Source] and also: [IPC ON – Privacy by Design Solutions for Biometric One-to-Many Identification Systems]

Big Data

WW – De-ID Is Not Sufficient: Scholars

Scholars at Princeton University say data de-identification tools aren’t sufficient to ensure privacy. Asst. Prof. Arvind Narayanan and Prof. Ed Felten have published an academic paper, “No Silver Bullet: De-identification Still Doesn’t Work,” poking holes at the methodologies of a paper published last month by researcher Daniel Castro and former Ontario Information and Privacy Commissioner Ann Cavoukian that claimed the opposite , the report states. Felton and Narayanan list eight problems with Castro and Cavoukian’s paper. “There is no evidence that de-identification works either in theory or in practice and attempts to quantify its efficacy are unscientific and promote a false sense of security,” they write. Meanwhile, Zach Wener-Fligner writes on “why you may never be truly anonymous in a big data world.” [IT News] and also: [De-identification Protocols: Essential for Protecting Privacy – Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, and Khaled El Emam, Ph.D., Canada Research Chair in Electronic Health Information, University of Ottawa]

EU – EDPS Report: Ensuring More Effective Data Protection in an Age of Big Data

The new E.U. legal framework will require data controllers to verify if any consent relied upon was valid, and that other legal grounds relied upon are also sound and convincing; this requirement will apply to the use of big data technology, and whenever personal data is processed in that context. The new framework will deliver stronger rights for data subjects, responsibilities for data controller, and supervision and enforcement of data protection rules across the EU; it will provide for strong sanctions (up to millions of euros) for the most serious cases. [Source] and see: [Using Privacy by Design to Achieve Big Data Innovation Without Compromising Privacy – Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, and David Stewart and Beth Dewitt, Deloitte] and also: [A Risk-Based Approach to Privacy: Improving Effectiveness in Practice – Center for Information Policy Leadership, Hunton and Williams LLP] and [The Scored Society: Due Process for Automated Predictions – Danielle Keats Citron and Frank Pasquale, University of Maryland School of Law – Social Science Research Network]

Canada

CA – Ottawa Prepares to Share Personal Data with Foreign Governments

The Conservative government has given itself broad new powers to share Canadian immigration files and other information with foreign governments – a practice that could have far-reaching implications for individuals who cross borders. The powers are included in Bill C-24, an overhaul of citizenship law passed last month, though have drawn little attention. The changes amend the Citizenship Act to allow Stephen Harper’s cabinet to draft regulations “providing for the disclosure of information for the purposes of national security, the defence of Canada or the conduct of international affairs,” including under international deals struck by Citizenship and Immigration Minister Chris Alexander. The police and our security agencies are clearly gaining warrantless access to customer information that allows them to identify us and our activities online and probably more. Cabinet will also now be permitted to allow the “disclosure of information to verify the citizenship status or identity of any person” to enforce any Canadian law “or law of another country.” Ottawa contends the final regulations are still being developed and will comply with Canadian law. However, critics warn the changes could lead to Canada sharing citizenship and immigration details with foreign countries, whether verified or not, without oversight. [The Globe and Mail] See also: [Allegations of widespread bugging at Saskatoon jail] and also: [OIPC BC – Special Report: A Failure To Archive – Recommendations To Modernize Government Records Management] and also: [OIPC BC – Updated Guidance on the Storage of Information Outside of Canada by Public Bodies]

CA – Canadians Report 1,000 Anti-Spam Law Violations

More than 1,000 complaints have been filed since the new anti-spam law took effect, says Manon Bombardier, the CRTC’s chief compliance and enforcement officer. Hundreds of reports have been submitted daily at fightspam.gc.ca and investigators are already at work looking into whether companies have violated the new law.Consumers who wish to report unwanted spam emails can forward messages to spam@fightspam.gc.ca or fill out an online form to register a complaint. “We’re going to look at all the complaints we receive,” Bombardier says. “We will be strategic in which ones we pursue for investigations but we will review all the complaints.” [The Canadian Press] See also: [Office of the Privacy Commissioner of Canada – Personal Information Retention and Disposal: Principles and Best Practices]

CA – A Review of CSEC SIGINT Information Sharing With Second Parties

The Minister of National Defense (the “Minister”) should issue a new ministerial directive to provide general direction to Communications Security Establishment Canada (“CSEC”) on its foreign signals intelligence information sharing activities with its second partners (the US, UK, Australia, and New Zealand), and set out expectations for the protection of the privacy of Canadians in the conduct of those activities. The CSEC Commissioner should report annually to the the Minister the number of one-end-in-Canada second-party-collected communications it acquires from its second partners. [A Review of CSEC SIGINT Information Sharing With the Second Parties – File #2200-79 – Office of the Communications Security Establishment Commissioner]

CA – A New Possibility for Security and “Privacy by Design”: Fault-Free Software

“Semantic analysis” is a new approach to ensuring software accuracy that analyzes code statements with formal logic rules to ensure the software is semantically correct and output data is tracked backwards through the logic to ensure it is consistent with the input data set; this approach can be used to achieve Security and Privacy by Design by identifying the presence of malware (semantic analysis can generate a functional signature, where any departure from that signature can be flagged) and addressing privacy issues (e.g., if output data sets are constrained to exclude personal information, the program logic can be tested to ensure it correctly handles an occurrence of PI in the input data set). [Source]

Consumer

US – Senator Wants Answers from Facebook

Sen. Mark R. Warner (D-VA) has asked the FTC to provide more details about Facebook’s emotion contagion study and to determine whether the company violated any existing law or its consent agreement with the agency. Meanwhile, in a separate story, Future of Privacy Forum Executive Director Jules Polonetsky writes about anti-behavioral advertising group Some of Us and its criticism of Facebook’s use of targeted ads. Upon looking at the group’s privacy policy, Polonetsky found the group “does exactly what it is calling on its users to protest to Facebook,” allowing tracking by some of the ad industry’s largest data brokers and placing users on an e-mail list for future use. [Forbes] See also: [European Regulators Looking Into Facebook Study] and [Canada: Facebook emotion study examined by privacy commissioner] and [Privacy vs. Personalization – The Creepy Side of Small Business CRM] and, finally: [Prepared Statement of Woodrow Hartzog to the Committee on Oversight and Governmental Reform Regarding the FTC and its Section 5 Authority] [Prepared Statement of Gerard M. Stegmaier to the Committee on Oversight and Governmental Reform Regarding the FTC and its Section 5 Authority] and finally [FTC v. Wyndham Worldwide Corporation, et al. – Memorandum Opinion and Order – United States District Court for the District of New Jersey]

US – Retail Breaches Making Customers Wary

Two surveys reveal that recent breaches are making consumers think twice about where they shop and how they pay for products. The Consumer Data Insecurity Report from the National Consumer League (NCL) notes consumers are increasingly blaming retailers for compromised credit cards and are changing services because of that. Security Matters: Americans on EMV Chip Cards states that nearly two-thirds of U.S customers are more likely to pay in cash after a breach. Nearly 60 percent of the fraud victims surveyed in the NCL study said their trust in retailers has significantly decreased. [Dark Reading]

AU – Psychologists Warn Lack of Privacy May Put Students at Risk

School counsellors in NSW independent schools fear students will avoid seeking help or talking openly about their problems because principals can now demand access to their confidential files, the Australian Psychological Society (APS) has warned. A new national privacy manual for independent schools says a principal can access a counsellor’s files “in the same way as he or she may call for the records made by any other school employee which relate to school matters”. It also says that if a student did not accept this, they would need to seek counselling elsewhere. The APS has warned the policy could have a devastating impact on students but the Association of Independent Schools of NSW says principals have no interest in prying into the private lives of students or their families and have an obligation to ensure the wellbeing of all students in their care. [The Sydney Morning Herald]

E-Mail

US – Goldman Sachs Wants Google to Delete Misdirected E-mail

To prevent what it calls a “needless and massive” breach of privacy, the Goldman Sachs Group is asking Google to delete an e-mail containing “highly confidential brokerage account information” that was mistakenly sent to a Gmail account. Goldman Sachs has filed a complaint with a New York state court and says Google “appears willing to cooperate” if that order is issued. The bank said, “Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients and to avoid the risk of unnecessary reputational damage to Goldman Sachs.” [Reuters] See also: [In The Matter Of A Warrant For All Content And Other Information Associated With The Email Account xxxxxxx@Gmail.com Maintained At Premises Controlled By Google, Inc. – Memorandum Opinion – U.S. District Court for the Southern District of New York] and [In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation – Government’s Brief In Support Of The Magistrate Judge’s Decision To Uphold A Warrant Ordering Microsoft To Disclose Records Within Its Custody And Control – U.S. District Court Southern District Of New York]

CA – Onslaught of E-mails: CASL’s Unintended Consequence

“In recent weeks, Canadians have been inundated with e-mails from retailers, manufacturers, nonprofits, even government agencies—all rushing to verify that people actually want their accounts flooded with deals, discounts, announcements or anything with a whiff of commerciality, useful or otherwise,” describing the phenomenon as “the unintended by-product of a new Canadian law designed to de-clutter inboxes.” Canada’s Anti-Spam Legislation (CASL) is now in effect, and senders of commercial electronic messages to Canadians—regardless of where the senders are located—must verify recipients’ consent, thus spurring the proliferation of e-mail requests in the weeks before July 1. [The New York Times] See also: [Geist: In Defence of Canada’s Anti-Spam Law, Part Two: Why the Legislation Is Really a Consumer Protection and Privacy Law in Disguise]

Electronic Records

WW – Human Care Systems Taps Perspecsys for Cloud Compliance

Human Care Systems (HCS), which designs and delivers patient, physician and pharmacist support services for some of the top pharmaceutical companies globally, has selected Perspecsys AppProtext Cloud Data Protection Gateway to secure patient medical data. Andrew Taff, director of operations and technology at HCS, said the selection was made in order to “meet strict EU data residency and privacy compliance requirements while recording, storing and processing patient treatment and medical data in the cloud.” The system will allow HCS to retain confidential and sensitive patient medical data within their “local regional data center” while transferring only “surrogate token values” to the cloud platform, according to a press release. [Big News Network]

Encryption

US – Survey: More Than One-Third of Respondents Not Using Encryption

A Voltage Security survey conducted at a recent European IT security exhibition found “nearly 36% of IT security professionals admit to sending sensitive data outside of their organisations without using any form of encryption to protect it.” Voltage CTO Terence Spies commented, “This statistic is cause for alarm, particularly given that encryption provides protection for companies against cyber criminals, competing companies and even governments; it is the key to keeping sensitive data away from prying eyes.” The survey included responses from 200 IT professionals, the report states. [Information Age]

UK – Jail Time for UK Man Who Refused to Surrender Crypto Keys

A UK man has been sentenced to six months in jail for refusing to surrender cryptographic keys to police. Computer science student Christopher Wilson was asked to provide police with keys to unlock his computer because he is suspected of breaking into the Northumbria Police website and attempting to break into the website of the Serious Organised Crime Agency. [The Register]

WW – Microsoft Flips Switch on New Webmail Encryption

Microsoft has pulled back the curtain on its implementation of tougher encryption standards for Web-based email and some cloud services, the company announced. In the works for more than six months, Microsoft has now activated Transport Layer Security encryption (TLS) for its webmail services at Outlook.com, Hotmail.com, Live.com, and MSN.com. This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS. Matt Thomlinson, vice president of Microsoft’s Trustworthy Computing division, said that this work is part of a “comprehensive engineering effort to strengthen encryption.” “This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data,” he said. [CNET]

EU Developments

UK – Britain Unveils Emergency Laws to Keep Email, Phone Data for Security

Britain said it would rush through emergency legislation to force telecoms firms to retain customer data for a year, calling the move vital for national security following a decision by Europe’s top court. Communication companies had been required to retain data for 12 months under a 2006 European Union directive but this was thrown out in April by the European Court of Justice on the grounds that it infringed human rights. Britain’s coalition government said the scrapping of that directive could deprive police and intelligence agencies of access to information about who customers contacted by phone, text or email, and where and when. Prime Minister David Cameron said it was vital these powers were not compromised at a time of growing concern over Britons travelling to Iraq and Syria to join militant Islamist groups. Those concerns prompted the government to take the unusual step of announcing fast-track legislation which, under a deal brokered behind closed doors between Britain’s three major political parties, could become law as soon as next week. [Reuters]

UK – Parliament Fast Tracking Emergency Data Retention Law

The UK government is pushing emergency legislation through Parliament that will require telecommunications service providers to store communications metadata for up to one year. All three major political parties have expressed their support of the measure. Prime Minister David Cameron says the law does not create new surveillance powers. The Data Retention and Investigation Powers Bill is being rushed through Parliament because in April, the European Court of Justice overturned the EU Data Retention Directive on the grounds that it “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” [BBC] [v3.co.uk] [ZDNet]

UK – ISPs, Nonprofits File Legal Complaint Against Spying Practices

Seven Internet service providers, along with nonprofit groups from multiple countries, have filed a legal complaint against British spy agency GCHQ. The groups allege the organization illegally hacked into the computers of Internet companies to access their networks. The complaint was filed with the Investigatory Powers Tribunal and calls for an end to GCHQ’s targeting of system administrators to gain access to the networks of service providers for the purpose of mass surveillance. It also alleges GCHQ paired up with the U.S. NSA to target exchange points operated by three German companies, in violation of international law. [Wired] See also: [Report: NSA targeted German privacy activist]

EU – BCRs Gain Momentum with Article 29 WP Endorsement

Phil Lee discusses the Article 29 Working Party’s letter to the European Parliament illustrating the clear support that Binding Corporate Rules (BCRs) for processors have and will continue to have from the Working Party. BCRs are an “optimal solution to promote the European principles of personal data abroad,” said Working Party Chair Isabelle Falque-Pierrotin. The letter is “representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions,” Lee writes, noting there were 19 BCR-approved organizations in 2012 compared with 53 today. [Fieldfisher]

EU – EDPS Opines on the Transfer of Personal Data to 3rd Countries and International Orgs

The following are considered adequate safeguards when transferring personal data to an inadequate country – a third party beneficiary clause, clarification of the exporter and importer’s obligations (such as requirement to respond to enquiries, provide a copy of the clauses to the data subject, and submission to reviewing, auditing), a liability clause, obligation of the importer to communicate security breaches to the exporter, details of governing law, information about cooperation with supervisory authorities, and power of the data protection authority to block or suspend the transfers. [Opinion] [Press Release: European Commission – Cloud Service Level Agreement Standardisation Guidelines] [Guidelines]

EU – Germany Gives Berlin CIA Chief the Boot Over Spying Allegations

Germany has told the U.S. CIA station chief in Berlin to leave the country after two suspected U.S. spies were unearthed. The revelations follow allegations that Chancellor Angela Merkel was among the many Germans whose mobile phones were bugged by U.S. agents. “Spying on allies … is a waste of energy,” Merkel said. “We have so many problems, we should focus on the important things.” German authorities say they are investigating a government employee suspected of spying on confidential government affairs and have seized evidence including computers and several data storage devices. [Reuters]

EU – Privacy Pro to Head European Marketing Trade Group FEDMA

For the first time, a privacy officer will be the chair of a major European trade body. The Federation of European Direct and Interactive Marketing (FEDMA) has announced Sachiko Scheuing, the European privacy officer at Acxiom, has been elected to the post alongside Director General of the Dutch Marketing Association Diana Janssen. The two will serve a three-year term in an effort to further FEDMA’s pursuit of helping the marketing industry to use data in an ethical way and to ensure that both consumers’ and marketing organizations’ needs are met. [The Privacy Advisor].

EU – Reding Leaves European Commission To Become MEP

Four European Commissioners—including Viviane Reding—left their jobs after being elected to the European Parliament. Formerly the commission’s justice commissioner, Reding is now Luxembourg’s MEP, the report states. The other commissioners who have left their posts to become MEPs include former economics commissioner Olli Rehn of Finland, industry commissioner Antonio Tajani of Italy and Janusz Lewandowski, of Poland, who was previously in charge of the EU budget. Jose Manuel Barroso, outgoing head of the commission, “said their portfolios will be temporarily taken over by other commissioners, pending the hearings and appointment of their successors,” the report states, noting, “Austria’s Johannes Hahn, responsible for regional policy, will also look after justice and fundamental rights.” [EU Observer]

Facts & Stats

CA – Most Alberta Freedom of Information Requests Get No Results

Two out of three Albertans who ask for government records using a freedom of information request get nothing, a Journal analysis shows. A review of nearly two decades of data revealed a majority of people who request provincial records are told documents “do not exist.” Fewer than two in 10 will get some of the information they wanted, and fewer than one in 10 will get everything they asked for. Information and privacy commissioner Jill Clayton said the findings are “concerning,” and she will review the issue as part of her ongoing investigation into Alberta’s freedom of information system. [Edmonton Journal] See also: [Nova Scotia: New FOIPOP review officer appointed for province] and [NB: Hospital privacy breach report set for release]

Filtering

WW – Microsoft Preps for RTBF; DPAs Prep for Refusals

In response to the recent EU high court ruling, Microsoft plans to join Google in rolling out an online takedown form to delink personal information. “Developing an appropriate system is taking us some time,” the company said. “We expect to launch a form through which users can make requests soon.” Data protection authorities in the EU plan to meet next week to commence work drafting “procedural guidelines” for handling complaints about search engines’ refusals of takedown requests. [The New York Times]

Finance

US – Federal Court Dismisses FINRA Privacy Case

A U.S. District Court judge has tossed a privacy lawsuit by a former broker who alleged public disclosures by the Financial Industry Regulatory Authority (FINRA) violated his privacy rights. Alan Santos-Buch sued FINRA for making details of a 1997 case against him public on its website and in a regulatory document. He said such public disclosures have made it difficult for him to get a job. However, the judge ruled the case failed to raise “substantial constitutional questions” that would allow it to proceed, noting in a 21-page opinion, “Santos-Buch has failed to allege any facts establishing that irreparable injury may occur without immediate judicial relief.” [Reuters]

FOI

EU – EU Court Orders More Transparency of Anti-Terror Program

The Court of Justice of the EU (CJEU) has ordered that EU institutions be more transparent about negotiations over transferring EU citizens’ banking data to U.S. anti-terrorism authorities. In 2001, the U.S. Terrorist Finance Tracking Program had ordered the Society for Worldwide Interbank Financial Telecommunication to share financial transactions via its U.S. operating center. Of the recent CJEU ruling , Dutch MEP Sophie in ‘t Veld said, “The court clearly states that transparency is a prerequisite for a truly democratic Europe. The European Union must develop from a Europe of diplomats, discretion and confidentiality to a Europe of citizens, administrative transparency and trust.” [PC World]

US – FOIA Lawsuit Seeks Documentation of Intelligence Agency Flaw Stockpiling

The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit for information about US intelligence agencies’ stockpiling of security flaws. Specifically, the request seeks information about how intelligence agencies decide which flaws to disclose and which to keep secret. The privacy rights group is concerned that the flaws, which have not been patched by software vendors, could pose a threat to users. [The Register] [ComputerWorld]

CA – Edmonton Urged to Publish Sunshine List of Top Salaries

Edmonton should follow the provincial lead and disclose its own sunshine list, a government-spending critic argues. Figures compiled by the Journal show that roughly 2,000 City of Edmonton employees earned more than $100,000 last year. The information indicates roughly 12.3% of the total 16,100 workforce — planners, bus drivers, park rangers, technicians and other staff — made six figures in 2013. Fire rescue services and the Edmonton Police Service each had 27% of their staff in this range, the highest proportion among major sections of the city. But virtually everyone in the auditor’s office — 13 of 14 employees — was paid $100,000 plus. In January, the province released a “sunshine list” of 3,455 public service employees — 12.7% of the total — whose pay and benefits exceed $100,000. Derek Fildebrandt, the Alberta director of the Canadian Taxpayers Federation, said Edmonton should follow suit. About 11.7% of Alberta’s overall labour force was in the $100K club in 2011, according to the most recent Statistics Canada figures.[Edmonton Journal] [Alberta Education broke privacy laws in minister Jeff Johnson’s email to teachers]

Genetics

CA – Call to Halt Use of Gene Test Results in Insurance Calculations

Canada’s Office of the Privacy Commissioner (OPC) has issued a statement urging the life and health insurance industry to refrain from asking applicants for access to existing genetic test results. This would require the insurance industry to go beyond its current voluntary moratorium on asking people to undergo genetic testing on application. The insurance industry, however, disagrees. ‘They say these tests aren’t necessary, we think they are’, said Frank Zinatelli, vice president and general counsel for the Canadian Life and Health Insurance Association, a group representing 99% of the insurance industry in Canada. From the commercial perspective, it thought that genetic information should be treated in the same way as any other piece of available medical information; access to data enabling accurate individual risk classification is paramount to the insurance industry’s sustainability. The present lack of legislative guidance on the issue in Canada appears to contribute to the sense of urgency with which the OPC statement has been issued. Nevertheless in, ‘[r]ecognising that the state of medical technology is changing rapidly,’ the OPC has indicated that its ‘position should be revisited on a periodic basis’. [BioNews] [Source]

Google

EU – Google to Tour Europe on Privacy, RTBF

In response to the EU court ruling on the right to be forgotten, Google plans to tour Europe as early as this fall in a series of meetings to explain its stance on privacy. Additionally, the online search giant has announced additional members of its privacy panel, including former German Minister Sabine Leutheusser-Schnarrenberger and Le Monde Editorial Director Sylvie Kauffmann. Details on the full 10-person panel, with individual biographies, as well as an online form asking users to “tell us your thoughts on the CJEU ruling” are now available on a Google webpage. “For each of these requests, we’re required to weigh … an individual’s right to be forgotten with the public’s right to know,” Google states. “We want to strike this balance right.” [The New York Times] See also: [Businesses Finding Opportunity in RTBF Ruling] [Brussels: Google seeks privacy debate]

WW – Google Restores Links Removed After RTBF Ruling

Google has “restored links to some news articles that were removed to comply with a European Union court privacy ruling days after the deletions were criticized by publishers.” The news follows last week’s comments by a UK journalist that the so-called “right to be forgotten” will curtail freedom of expression. The Guardian’s Hayley Dunlop said, “Some but not all of the Guardian stories that Google hid in search results are now appearing once more,” and notes The Telegraph has also confirmed two 2010 articles that had been removed are once again accessible. The UK Information Commissioner’s Office has not “received any complaints over how Google has handled requests for removal,” the report states. [Bloomberg] [Google does U-turn on some deleted links in ‘Right to be Forgotten’ cases]

UK – Google Blurs Out Homes of Celebrities on Its Street View Maps

Google has begun blurring out the homes of celebrities on its ‘street view’ maps after some claimed the images breached their privacy under new European laws, it has been reported. The search engine giant this week removed images of properties owned by the likes of Prime Minister Tony Blair and Sir Paul McCartney. Pictures of houses owned by singer Katherine Jenkins and rocker Jimmy Page are also understood to have been removed, according to reports. The Google Street View tool currently includes millions of photographs which allow online users to navigate their way around most parts of the UK at street level in 3D. But following a ruling by the Court of Justice of the European Union in May, which gave individuals the “right to be forgotten”, certain images have become obscured. [London Evening Standard]

Health / Medical

WW – Is Big Data Becoming Health Industry’s Big Brother?

Health data generated by apps, devices, electronic health records and wearables combined with purchasing and TV-watching habits tracked by social media sites and others mean big data may be poised to become big brother, noting, “It’s hardly out of the question that someday soon the healthcare industry might want to tap into social media to find out more about patients’ health habits.” A new report by the World Privacy Forum (WPF) found healthcare analytics companies are already drawing from retail databases, data brokers, retailer loyalty cards and nonprofit organization member lists, among others. The WPF report notes if the data is used for discrimination, it could have “dire consequences … The secrecy of the data being shared is the part society should worry about.” [GovernmentHealthIT] [Is Google eyeing big data analytics in electronic medical records?] and [OPC Canada – Wearable Computing: Challenges and Opportunities for Privacy Protection] and [Ontario’s privacy watchdog probing leak of woman’s medical information]

US – New Mobile Platform Seeks to Make Health Apps HIPAA-Ready

Medable is a platform designed to allow “medical grade” apps to safely share health data with clinical systems. Michelle Longmire, the Stanford-based physician who created the platform, said, “With Medable, mobile apps can make it easy for users to communicate with their doctors, nurses and caregivers and also provide them with any kind of data originating from the mobile devices,” adding, “That lets everyone receive the data, visualize it, and then communicate about it in a very natural way.” App developers can use the platform to create new services, all delivered through a software development kit and an application programming interface. Longmire also said Medable uses the HL7 clinical data format for easy integration with existing electronic health records systems. [VentureBeat] See also: [What big data could do for health care] and [The Legal And Ethical Concerns That Arise From Using Complex Predictive Analytics In Health Care]

WW – Can Software Make Health Data More Private?

Researchers are developing software designed to prevent sensitive medical information from being inadvertently shared. The software, developed by computer scientists at the University of Illinois, would allow patients to decide which parts of their records they want to keep private but also aims to use machine-learning analysis to reveal whether unselected information would disclose sensitive data such as mental health issues, sexually transmitted diseases or past drug abuse. The software would then keep that additional data confidential for the patient. “Electronic health records at the moment have no facility—none—to break the record into parts,” said Harvard Medical School’s John Halamka. “You either get the record or you don’t.” This software aims to change that. [MIT Technology Review] See also: [You’ve Been Doing It Wrong. Privacy Is Part of User Experience ]

CA – Hospital Suicide Prompts Review of Secrecy in ‘Quality of Care’ Law

Critics say the Quality of Care Information Protection Act — intended to allow for honest review of medical errors — has morphed into a shield for health-care providers. The Ontario Minister of Health launched a review of controversial legislation that keeps internal hospital investigations secret. The review comes after Star stories revealed the suicide of a 20-year-old while under a Brampton hospital’s psychiatric care and the family’s struggle for answers. The review will look at how the Act has been used in the past and “any shortcomings.” The sweeping piece of legislation, brought in in 2004, was meant to allow health professionals to speak freely about medical error without fear and to protect patient privacy. But critics of the Quality of Care Information Protection Act (QCIPA), including NDP health critic France Gelinas, say it has morphed into a shield for health care providers at the expense of the public’s trust. The Freedom of Information and Protection of Privacy Act does not apply to QCIPA. and unless otherwise specified QCIPA trumps all other Acts. That means the public won’t know how an incident happened — or the steps being taken to prevent it from happening again. [Toronto Star] see also [Toronto: Hospital class action informed by intrusion upon seclusion case] and [Temorshah Hafizi v. Her Majesty the Queeen – Court File No. 12-1063 – Ontario Superior Court of Justice]

Horror Stories

US – One Class-Action Gets Tossed While Others Forge Ahead

An Illinois state court has thrown out a putative class-action lawsuit over a data breach at Advocate Health and Hospitals Corp., finding “the plaintiffs needed to prove that their data had actually been misused in order to sustain their claims.” In California, however, a federal judge gave preliminary backing to a class-action settlement that would give $15 million in games, online currency and ID theft reimbursement to PlayStation Network users affected by a 2011 data breach, and a long-standing dispute over Carrier IQ’s alleged violation of consumers’ privacy has been sent to mediation. Meanwhile, the California Department of Managed Health Care is apologizing for an incident where 18,000 doctors’ Social Security numbers were released and San Diego Children’s Hospital Mistakenly Shares Medical Data and [Gaelen Patrick Condon et al. v Her Majesty the Queen – 2014 FC 250 – Federal Court of Canada] [Law 360]

US – AG Fines Country Store $3,000 for Failing to Notify Security Breach

In a move that shows even small businesses are not free from privacy obligations, the Vermont attorney general (AG) has levied a $3,000 civil penalty on a country store for failing to notify its Internet customers of a security breach. Late last year, the Shelburne Country Store’s website was hacked and credit card information was stolen. The company fixed the problem but did not notify consumers until it was contacted by the AG. “At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach,” said Vermont AG William Sorrell. [Vermont Biz] See also: [US Blue Shield discloses 18,000 doctors’ Social Security numbers] and [OPC Canada – Ten Tips for Reducing the Likelihood of a Privacy Breach]

US – Luxury Hotel, School District Hit by Breaches

The Houstonian Hotel, Club & Spa has announced at least 10,000 customers’ credit card details were exposed in a breach that lasted approximately six months. The “malicious software attack” commenced on December 28, 2013, and continued until June 20, the report states. “We undertook immediate action to fully secure our customers’ data,” a news release issued Tuesday said. “As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security.” Meanwhile, a Kansas City-based school district is investigating an incident that involved current and former students’ and employees’ personal data—including Social Security numbers—being leaked online. [Houston Chronicle]

Identity Issues

WW – When a Password-Is-Dead Scheme Goes Terribly Wrong

Recently, The Wall Street Journal’s Christopher Mims, to prove a point that two-factor authentication makes relying simply on passwords a thing of the past, publicly posted his Twitter password. However, the experiment went terribly wrong. In response, “a whole bunch of people tried to log in to his Twitter account,” prompting Twitter to send Mims a text message. Mims said at one point he was receiving two text messages per minute. He then tried to switch to a “Twitter for iPhone” app, which essentially revealed Mims’ phone number to those who clicked the verification code link. “The good thing to come out of exercises like these,” Hill writes, “is getting companies to protect stupid users from themselves.” [Forbes] See also: [How to Teach Humans to Remember Really Complex Passwords] and [Datatilsynet, Denmark – Guidance on Multifactor IT Security and Logins]

US – NY De Blasio Signs City ID Bill, Cards Will Be Free for One Year

New York Mayor Bill de Blasio signed into law a bill that would create a citywide identification card program. The cards will be free for the first year of the program. New Yorkers will be able to apply at locations in the five boroughs. The program is specifically designed to provide identification cards to the city’s nearly 500,000 undocumented immigrants so that they can sign apartment leases, open bank accounts, and visit their children at public schools, among other things. “This card important is for all New Yorkers,” de Blasio said. “But, for all those who don’t have ID, it’s going to be crucial.” Now the administration’s goal is to implement the program. The New York Civil Liberties Union issued a statement opposing the legislation, saying that it could expose the immigrants who apply for cards to prosecution and deportation by federal authorities. De Blasio said that the information will not be shared with any agencies and that applicants will not be asked about their immigration status.[Epoch Times]

CA – No Sin to Give Your SIN: Statscan Looks to Shore Up Census With Number

Statistics Canada is asking people to provide their SIN during test runs for the 2016 census, part of an effort to make the survey data more reliable. The agency is trying to find out if people will reveal a key identifier they’ve been so often warned to protect. The Conservative government eliminated the mandatory long-form census in 2011, saying it was too intrusive. It was replaced with a controversial voluntary National Household Survey. When the data from the survey was released last year, information on thousands of smaller communities was withheld because of low response rates. And because some people didn’t want to fill out the voluntary form or parts of it, collected data on income levels has been criticized as flawed. The agency is now asking a broad sample of those who fill out the tests of the mandatory, short-form census to include their SIN. The number will help tap into specific information from tax returns held by the Canada Revenue Agency, the type of solid data that could backstop the census. Previous questionnaires have asked people for permission to seek information from the revenue agency, but a SIN is a much more accurate link to income tax files than a name and date of birth. In 2006, the mandatory long census had a response rate of 93.5%. The 2011 NHS received a response rate of 68.6%, with higher reluctance among some groups, such as aboriginals. [The Canadian Press]

Internet / WWW

WW – TRUSTe Event Explores Intersection of Tech and Privacy

Data privacy management firm TRUSTe followed up on its work with the Future of Privacy Forum (FPF) to create a smart grid privacy seal by creating a day-long Internet of Things Privacy Summit, which concluded yesterday in Silicon Valley. The event had 26 speakers exploring the future of connected technology and its implications. Finally, the event finished with a debate on whether privacy “is even possible” in the Internet of Things era. The full event is archived and available for viewing. Following the event, TRUSTe announced an Internet of Things Privacy Tech Working Group, which includes the FPF, along with the Online Trust Alliance, the Center for Democracy & Technology and others. The group will begin meeting in the next three months and will report out findings at the next Internet of Things Privacy Summit in June of 2015. [Webcast]

US – NIST Cloud Computing: Forensic Science Challenges – NISTIR 8006

Challenges regarding cloud computing forensic science include the following – architecture (proliferation of systems, locations and endpoints that can store data), data collection (accessing the data of one tenant without breaching the confidentiality of other tenants), analysis (correlation of forensic artifacts across and within cloud providers), legal (identifying and addressing issues of jurisdictions for legal access to data), incident first responders (confidence, competence, and trustworthiness of the cloud providers to perform proper data collection), standards (minimum/basic standard operating procedures, practices, and tools), and training (misuse of digital forensic training materials that are not applicable to cloud forensics). [Source]

Law Enforcement

CA – Calgary Police, Bylaw Enforcement to Track Licence Plates for Parking Data

Each day for the past four years, Calgary parking enforcement officers drive the city’s streets in cars equipped with cameras designed to scan licence plates and identify parking scofflaws. Even if no violation has been committed, the city still holds on to data showing the time and location the vehicle was spotted, as well as a photo of the vehicle. As use of licence-plate scanning technology grows in Canada among bylaw enforcement agencies and police departments there is no consistency as to how long such data is retained or who it’s shared with. While some agencies scrub their systems of so-called “non-hit” data daily, others hold on to that data for several years or indefinitely. Some agencies share the data they collect with police investigators, while others require a warrant. Privacy advocates are worried. The technology is becoming a “mass surveillance” tool and demands better oversight, said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab specializing in technology and privacy issues. “It doesn’t matter that there are positive intentions behind this. It’s a surveillance system,” he said. The Calgary Parking Authority is now conducting a privacy impact assessment of its ParkPlus System, spokeswoman Shelley Trigg said. [Canadacom] See also: [NC man puts up massive tarp to block neighbor’s surveillance camera]

US – Hot-Car Death Highlights Key Role of Digital Evidence

One of the few details to come out of the murder case against suburban Atlanta dad Justin Ross Harris — whose son was found dead after being strapped into a hot car for hours — is that he searched for information about such deaths shortly before the incident occurred. According to police, Harris used his work computer to search for information about “child deaths inside vehicles and what temperature it needs to be for that to occur.” While Harris’ family appears to be standing by him and he’s been convicted of no wrongdoing, the revelation is the latest reminder that what you do and say online can become public in unpredictable and sometimes undesirable ways: Fifteen or 20 years ago, the notion of taking criminal evidence from a personal computer was as novel as the technology itself. Today, it seems commonplace and all over the headlines. [CNN]

Location

BR – City Partners with Traffic Apps in Data Deal

As commuters increasingly use apps that incentivize data-sharing in exchange for updates on traffic jams, one government is finding similar opportunities using the same services. Waze and Moovit collect data from drivers and pedestrians, respectively, feeding back information on the most efficient ways to get around. Rio de Janeiro’s Department of Transport has partnered with Waze to help it eye traffic and hazards—via the GPS datapoints fed once-per-second from users’ cellphones—in exchange for real-time data from the city on highways and from cameras. While Waze can indicate how fast drivers are moving, spokesperson Julie Mossler says the passively tracked data “is not something we share.” [Forbes] See also: [German Federal Data Protection Commissioner – Guidance on Data Protection Requirements for App Developers and App Vendors]

CN – Apple Tells China It Does Not Track User Location

In response to a China Central Television (CCTV) report, Apple said it does not track the location of Chinese iPhone users. Apple said it “does not obtain or know a user’s frequent locations … Apple does not have access to frequent locations or the location cache on any user’s iPhone at any time.” CCTV had alleged the tracking could reveal “state secrets,” arguing, “Even if this feature is turned off, the information will still be recorded.” Apple said it appreciated CCTV’s “effort to help educate consumers,” adding, “We want to make sure all of our customers in China are clear about what we do and we don’t do when it comes to privacy and your personal data.” [International Business Times] See also: [BC: CCTV used to spy on tenants was ‘illegal’]

Offshore

NZ – Proposed Data Breach Fines a ‘Drop in the Ocean’

The New Zealand government is expected to introduce a rewrite of privacy laws into Parliament next year, but one security expert says the proposals are imprecise and don’t go far enough. “We are following the world rather than leading,” he says, noting data breach disclosure has been debated in New Zealand since at least 2002. However, Benson describes proposed penalties such as a $10,000 fine for not notifying the Privacy Commissioner of a breach, as a “slap on the wrist”. “Liability or decent fines are needed for people who fail to disclose,” he said. Further, a lot of the provisions remain undefined and may only be defined in case law after a new Privacy Act is passed. The meaning of terms such as “serious cases”, “enforcing compliance” and “reasonable care” remain unclear. [ZD Net] See also: [NZ Privacy Act: ‘Need to know or nice to have’ Guidelines Released]

AU – Drones Face Privacy Regulation Under Oz Government Plan

A parliamentary report into regulation surrounding the use of drones has recommended that Australia consider creating a tort of privacy invasion – something ruled out by the country’s attorney-general George Brandis as recently as April. In an example of the strange bedfellows politics can make, privacy activists and farming lobbies agree – for, perhaps, different reasons – that unfettered flying of drones poses privacy risks, and the government-dominated but bipartisan committee agrees. The government-dominated “Standing Committee on Social Policy and Legal Affairs” has published a report entitled Eyes in the sky, which notes that privacy and surveillance laws around Australia are “a complex web”. For example, the report notes that surveillance using listening devices is tightly regulated, but police can use drones for surveillance “without a warrant so long as they do not enter onto premises without permission, or interfere with any vehicle or thing without permission.” Hence the report’s recommendation that “the Australian Government consider introducing legislation by July 2015 which provides protection against privacy-invasive technologies (including remotely piloted aircraft), with particular emphasis on protecting against intrusions on a person’s seclusion or private affairs”. Such protection, the committee recommends, should include a tort of privacy invasion with “effective” opportunities for complainants to seek remedies. The recommendation has bipartisan support. [The Register] and [Eyes in the sky: Vanishing privacy] and [Hong Kong’s ‘hands off’ regulations prompt growth in drone flying by amateurs]

Online Privacy

US – Judge Approves Disclosure of Anonymous Commenters

A federal judge has authorized a subpoena to Craigslist and Amazon compelling the companies to disclose the personal details of anonymous commenters who allegedly posted negative reviews of nutritional supplement manufacturer Ubervita and its products. Judge Marsha Pechman said the subpoenas would be “intended to learn the John Doe defendants’ identities including names, addresses, telephone numbers, e-mail addresses, IP addresses, web hosts, credit card information, bank account information and any other identifying information.” [Hot Hardware] See also: [Is There Value in the Right To Be Anonymous Commenters?] and [WSJ – Clarke: In the Future, Only the Rich Will Have Privacy]

US – EPIC Files Complaint with FTC Over Facebook Study

The Electronic Privacy Information Center (EPIC) has filed a formal complaint with the FTC claiming Facebook deceived users when it conducted its emotion contagion study without user consent. “At the time of the experiment, Facebook did not state in the Data Use Policy that user data would be used for research purposes. Facebook also failed to inform users that their personal information would be shared with researchers,” the EPIC’s complaint states. Center for Digital Democracy Executive Director Jeff Chester said his organization will also speak with the FTC on this matter. Facebook Chief Operating Officer Sheryl Sandberg apologized for the study, saying it was “poorly communicated.” [USA Today]

WW – Facebook Study Demonstrates Need for Ethical Decision-Making

Opinions regarding the Facebook study on emotional response continue to reverberate in the privacy world. In a post for Re/code, Future of Privacy Forum Executive Director Jules Polonetsky and IAPP VP of Research and Education Omer Tene note “big data analysis raises issues that transcend privacy and implicate broader policy concerns around discrimination, filter bubbles, access to data and the ethics of scientific research,” adding, “Establishing a process for ethical decision-making is key to ensuring that the benefits of data exceed their costs.” In a separate post, Ed Felten writes, “experiments that manipulate user experience impact users’ privacy, and that privacy impact needs to be taken into account in evaluating the ethics of such experiments and in determining when users should be informed.” [Source]

US – Parents: Facebook Settlement Would Allow “Illegal Conduct”

Parents’ are reacting to Facebook’s $20 million settlement of a class-action filed over its “sponsored stories” program. The settlement “gives the company a free pass to violate laws in seven states that bar the use of a minor’s likeness without parental consent, the parents of several underage Facebook users told the Ninth Circuit,” the report states. They have filed a brief asking the Appeals Court to vacate the settlement, alleging it allows “clearly illegal conduct,” the report states. [Law360] See also: [Class-Action Alleges Retailer Routinely Violates Song-Beverly] See also: [Who benefits from online privacy policies?]

Other Jurisdictions

JP – Nation Set to Pass Cybersecurity Legislation

Deep and longstanding cybersecurity issues face Japan and how the nation is set to pass legislation that would bolster its cybersecurity. Recent cyber-attacks on Yahoo Japan, the country’s space agency, its largest defense contractor and Bitcoin operator Mt. Gox, as well as the highly publicized breach of Sony Playstation in 2011, have all threatened the world’s third largest economy. One information technology expert said, “The biggest problem—and the biggest ally of cyber-attackers aiming at Japan—is the widespread belief that ‘it can’t happen here,’” while also noting that cybersecurity awareness in Japan is still “very low.” [Businessweek]

RU – New Law Will Keep Personal Data Inside National Borders

The Russian State Duma has passed legislation that will require the personal data of Russian citizens to be stored inside the country. Any online service used by Russian citizens must have physical servers inside the country and such non-Russian businesses would be prohibited from sending personal information outside the border unless certain data protection guarantees are made. Those not in compliance would have their services restricted by the Russian state telecommunications agency. The proposed law is slated to take effect in September 2016, the report states, noting the law “could mean a fundamental change to how both international and Russian tech companies use international hosting services, not to mention huge costs for implementing the changes.” [TechCrunch]

Privacy (US)

US – NSA Won’t Release Snowden E-mails, Says Would Breach His Privacy

In response to a Freedom of Information Act (FOIA) request, the NSA has said it cannot release internal e-mails sent from whistleblower Edward Snowden because it would violate his personal privacy, according to U.S. News & World Report. Former Reuters Social Media Editor Matthew Keys filed the request seeking the e-mails sent from ejsnowd@nsa.ic.gov in the first five months of 2013. Snowden has said a number of times that he had raised concerns about the NSA’s surveillance programs internally while working as a contractor for the agency. The NSA had denied a broader FOIA request in June 2013. [U.S.News]

US – PCLOB Says No Illegitimate Activity in NSA Overseas Program

In a pre-released report on Section 702 of the Foreign Intelligence Surveillance Act, the Privacy and Civil Liberties Oversight Board (PCLOB) found no illegal activity but cautioned that parts of the program—including the collection of U.S. citizens’ communications—raise privacy concerns. Several civil rights and privacy advocacy groups said the report fell short of expectations. The Electronic Frontier Foundation said the recommendations were “anemic” and will do little to curb surveillance. New America Foundation’s Kevin Bankston tweeted, “If the last PCLOB report was a bombshell, this one is a dud.” [Computerworld]

US – Men File Suit Against 9/11 Threat Database

Five California men have started a legal battle against the government’s national database, built after Sept. 11 to store reports of suspicious activity in the hunt for terrorists. The suit, filed by the ACLU and Asian Americans Advancing Justice-Asian Law Caucus, challenges the database, alleging it’s “too easy for people engaged in innocuous activities to be put into the database and scrutinized as if they were a threat,” the report states. The plaintiffs include two photographers confronted by security guards at a national gas tank; an Egyptian-American who tried to buy multiple computers at a Best Buy, and a Muslim convert looking at a flight simulator game on the Internet. [The New York Times]

US – Group Releases Data Privacy Toolkits for School Districts

School technology officials’ membership organization Consortium for School Networking has released two new privacy-related toolkits, “Ten Steps Every District Should Take Today“ and “Security Questions to Ask of An Online Service Provider,” for school districts attempting to protect student information. “School leaders often need to access information immediately and with minimal hassle. These standalone resources will help district leaders quickly obtain the information and guidance necessary to ensure student privacy,” said Consortium for School Networking CEO Keith Krueger. [Education Week] [US Group Releases New Resources For Districts Grappling With Data Privacy] See also: [US: Officials say data could help identify at-risk children]

US – New York State Education Department Issues Parents’ Bill Of Rights For Data Privacy and Security

A New York law requires that a “Parent’s Bill of Rights for Data Privacy and Security” be published on the website of each state educational agency and be included with every contract that agency enters into with a third party contractor (“contractor”) that receives student data or certain protected teacher/principal performance data that is designated as confidential under the law. The Bill of Rights permits parents the rights of access and correction of their student’s personally identifiable information (“PII), and consent prior to disclosure of the PII from education records (unless FERPA permits disclosure without consent); in the event of a contractor data breach, the contractor must notify the agency, which must notify the parent. [Bill of Rights]

US – UC Berkeley Creates Campus Privacy Officer Post

As part of an initiative to bolster campus cybersecurity and information autonomy, the University of California-Berkeley has created a campus privacy officer position and is now looking for applicants. Interim Chief Information Security Officer Paul Rivers said, “I do absolutely see this position as critical to the mission of the campus … The proper balance between privacy and competing interests (such as information security) must be explicitly and transparently addressed in order to safeguard academic freedom.” [Daily Californian]

US – HHS Names New Office for Civil Rights Director

U.S. Health and Human Services (HHS) Secretary Sylvia Mathews Burwell has named Jocelyn Samuels as the new director of the agency’s enforcement wing. Samuels has previously served as acting assistant attorney general for the Civil Rights Division within the Department of Justice. She succeeds Leon Rodriguez at the Office for Civil Rights (OCR). Christina Heide, who is a senior advisor for health information privacy at the OCR, is also serving as acting deputy director for health information privacy. Susan McAndrew left the role in May. [Health Data Management]

US – FTC Approves iKeepSafe COPPA Safe Harbor Oversight Program

The FTC approved the iKeepSafe Children’s Online Privacy Protection Rule safe harbor program which includes an effective, mandatory mechanism for the independent assessment of the safe harbor program participants’; compliance with the guidelines; website operators that use a safe harbor program are subject to the program’s disciplinary procedures in lieu of formal FTC investigation and enforcement. [Press Release] [Approval Letter]

Privacy Enhancing Technologies (PETs)

WW – Companies Continue Rolling Out Privacy-Enhancing Tech

Technology designed to protect the online privacy of users from third parties or governments continues to make its way into the marketplace. Motherpipe recently announced it has launched privacy search extensions for the Chrome browser in the U.S., UK, India, Germany and Sweden. Motherpipe’s CEO said the service “offers users a choice when they are searching for things that they simply don’t want Google to share with anyone.” In a separate rollout, Rællic allows users to communicate securely. With three modes—”Normal,” “Paranoid” and “Tin Foil Hat”—Rællic’s director of systems said it “is the only software in the public sphere that offers such intensive but easy-to-use data protection to consumers and enterprises worried about interface with their communications.” [PRWeb] See also: [With privacy concerns rising in retail, Prism Skylabs says video analytics are the future]

WW – CitizenMe Aims To Embrace User Privacy and Ad Ecosystem

CitizenMe is an an app designed to inform users what online services deduce about their personalities and with future intentions to encourage users to sell that data to advertisers. Instead of reinventing the current Internet ad model, Meyer writes, the app aims to improve it. CitizenMe has been working with the Psychometrics Centre at the University of Cambridge to tap into web services to help determine how users are scored. “The first step is to provide visibility and control of data, so you can go into your settings and have some control. If you want to, you can share that data … you can exchange data for a reward,” the company’s founder said, adding, “We then provide a marketplace and exchange where we exchange on your behalf.” [GigaOM]

WW – Will IceBrowser Put Privacy Fears on Ice?

Amidst ongoing concern about government surveillance, a California company is turning to Iceland to offer its users “a new layer of security.” “The new IceBrowser service, which costs $30 a year for early users, browses the Internet through their computers routing through Iceland, using a method which blocks outside tracking and cookies as well as viruses,” the report says. Jeff Bermant, founder of California-based Cocoon, said of Internet privacy, “Certainly the United States is not considered a safe country … If they are using Internet services based in the U.S. they don’t actually have privacy.” [Forbes] [Startup Sees Iceland As Best Route To Chill Privacy Fears] See also: [The Revolution Will Not Be Monetized]

WW – Invisible IM Project Aims to Leave No Forensic Trail

The Invisible IM project aims to develop a means for people to communicate “without leaving a retrospectively recoverable forensic trail behind on third-party servers.” The technology establishes a local XMPP server on a user’s computer, which then connects to the Tor network. A secure mode will be available that will prevent anyone from knowing who is on someone else’s buddy list or even if they have ever communicated through Invisible IM. The project is being designed to provide anonymity for whistleblowers. [The Register] [ComputerWorld]

Security

WW – Survey: IT Pros’ Main Worry Is Wondering Where Sensitive Data Lives

A new global survey of more than 1,500 IT and IT-security professionals looks at how organizations understand and respond to data security threats today, Informatica Corporation states in a press release on a new Ponemon Institute study . The study found that the location of sensitive or private data is “the foremost concern of today’s IT-security professionals”—even above hacker attacks. The survey also found that organizations are “in the dark regarding sensitive data, with only 16% knowing where all their sensitive structured data resides,” the report states. Other concerns include migration to new mobile platforms, worker or contractor mistakes and outsourcer management of data. [Source]

US – Rise in Electronic Payments Sharpens Security Focus

Companies have decided they won’t wait “for Congress to ensure that the billions of dollars in electronic payments flowing through data networks each year are defended from hackers,” detailing efforts by businesses to combat data breaches. For example, the New York Office of the Attorney General has said security breaches in that state have become more serious and more common, and they cost businesses upwards of $1.37 billion last year. “With action in Congress unlikely to happen soon, the nation’s largest retailers and financial groups are taking it upon themselves to increase safeguards for consumer information. With their reputations and business on the line, both industries are determined to make progress.” [The Hill]

WW – Hackers Targeting Small Businesses

Small businesses face increased risk of a data breach or cyber-attack. One Georgia business owner, Brad Spiegel, owner of Quality Computer Systems, said, “Big businesses are going to have bigger, badder routers and bigger, badder equipment that is going to protect them. So the criminals are going to go after the low-hanging fruit.” A National Small Business Association survey revealed 44 percent of respondents had been victims of at least one attack. Meanwhile, eBay, which recently sustained a data breach, is expected to announce its earnings report later this week. In other reports, a judge has granted preliminary approval of a data breach settlement with Schnucks, with a potential payout ranging between $300,000 to $500,000, and the University of Illinois Chicago is warning former students of a possible data breach.

US – Hackers Targeted U.S. Gov’t Employees

Officials have confirmed that Chinese hackers infiltrated the computer networks of the U.S. Office of Personnel Management and appear to have been seeking information on federal employees who have applied for top security clearance. An official from the personnel agency said neither it nor the Department of Homeland Security had “identified any loss of personally identifiable information,” and an emergency response team has been assigned. Though the attack has been traced to China, it is not yet clear whether it is tied to the Chinese government. This incident comes on the heels of an attack on the Justice Department resulting in the indictment of a group of hackers from the Chinese military for stealing corporate secrets. [The New York Times] See also: [Cyber Crime and Security Survey Report 2013 – Australian Government]

WW – The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password

In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password; they had to be within 30 meters of the devices they were targeting. [CNET] [The Register] [Ars Technica]

US – Grid Security Concerns

Some experts are saying that the addition of wind farms, solar panels, and smart meters to the power grid add points at which attackers could infiltrate and attack the country’s energy grid. There have been documented attacks on the power grid that damaged equipment, disrupted service, and required long term repairs. An Ernst & Young survey of 61 power and utility companies found that one-third report spending at least US $3 million a year on information security, which includes protecting systems from cyber attacks. [Bloomberg] SEE ALSO: [College Bescherming Persoonsgegevens, Netherlands – Privacy Checklist for Smart Meters]

US – Hotels Urged to Check Business Center Computers for Malware

An advisory from the US Secret Service and the National Cybersecurity and Communications Integration Center warns organizations in the country’s hospitality sector that computers available for hotel guests’ use in their hotels are likely being infected with keystroke loggers. The advisory was issued after suspects who had managed to compromise public use computers in hotels were arrested in Texas. The advisory urges hotels to check the computers in their business centers. [KrebsonSecurity] [ZDNet]

WW – Most Critical Infrastructure Executives Say Security is Not a Priority

According to a study that compiles responses from nearly 600 IT and IT security executives around the world, two-thirds of those responding said that their infrastructure had been compromised in the preceding 12 months, but just over a quarter said that security is a top priority. Nearly 60% acknowledged that the threat to ICS and SCADA networks is increasing, but just 5% have a dedicated ICS and SCADA security department. 55% percent of those responding said that there is just one person at their organization responsible for the security of those systems, and a quarter have no dedicated personnel at all. The report was conducted by the Ponemon Institute and sponsored by Unisys. [SC Magazine] [Unisys]

Surveillance

US – NSA Retains Data Belonging to Non-Suspects

The Washington Post conducted analysis on 160,000 intercepted conversations intercepted by the NSA and found that the majority of the people whose personal information was stored by the NSA (according to information provided by Snowden) were not suspects in investigations. The information includes highly personal messages, medical records, school transcripts, baby pictures, and resumes. The analysis of the data supports the contention that the NSA is not taking steps to exclude personal information of US citizens, as required by US law. An NSA spokesperson acknowledged that the agency “incidentally intercept[s] the communications of persons in contact with valid foreign intelligence targets,” and maintains that the NSA takes precautions to protect the privacy of the data it collects. [Washington Post] [ArsTechnica] [ComputerWorld] [CNN.com] Former NSA legal counsel Stewart Baker writes that the statistics in the report are doubtful. A separate report suggests those who use privacy-enhancing tools online are more likely to be targeted by the NSA, and The Hill reports that it is “crunch time” for reforming government surveillance. [Source] [Americans’ baby photos and resumes among NSA spy haul]

US – Analysis of Leaked XKeyscore Source Code Shows NSA Targets Tor Users

Analysis of source code in a program used by the NSA to snoop on Internet communications suggests that people outside the US who use online privacy and anonymization services are likely to have had their IP addressed collected. The source code is for a program called XKeyscore. The analysis indicates that people who search for tools like Tor will get labeled as extremists. XKeyscore also conducts deep packet inspection on messages sent through Tor. The code was analyzed by German public broadcaster ARD, which did not say how the code was obtained. [ArsTechnica] [WIRED] [CNET]

WW – A New Device Lets You Track Your Preschooler … And Listen In

LG Electronics have relased the KizON wearable tracking wristband. The technology uses WiFi and GPS to provide real-time location tracking in addition to a “One Step Direct Call” feature designed to allow the child and parent to communicate directly. Such technology, the report states, raises the question of whether minors have a right to privacy. In 2008, one lawyer wrote, “Children do have privacy rights, just like adults, although even the most important constitutional rights of children may be limited because of their minority status.” Iowa State University Prof. Reynol Junco said, “I think they’re entitled to some privacy, but not much. We are parents, after all.” [NPR]

CA – Too Many Hidden Cameras: Yukon Privacy Commissioner

Yukon’s Information and Privacy Commissioner is cautioning government against the overuse of video surveillance. Diane McLeod-McKay says there are far too many hidden cameras in Whitehorse. “My concern is that video is being overused and sometimes the reason for its use is not being balanced against the privacy risks,” adding that ‘Cost-effectiveness is no justification to infringe on privacy rights.’ McLeod-McKay says video surveillance is one of the most invasive tools available, and should only be used as a last resort. After discussions with various departments, McLeod McKay has published a guide targeting government and other public bodies on the use of hidden cameras. [CBC News]

US – FAA Drafting Commercial Drone Use Rules

Federal Aviation Administration (FAA) plan to permit small drones to be used for commercial purposes. Media sources, energy companies, farmers and other groups have been pressuring the FAA to lift its ban on flying commercial drones, and an FAA spokesman said the agency is drafting rules for small drones now that will be “issued for comment late this year.” But finalizing such rules could take several years because multiple agencies would be involved, including the Pentagon and the Department of Homeland Security. [Reuters]

Telecom / TV

UK – ISPs File Complaint Against GCHQ Over Alleged Spying

Seven Internet service providers have filed a complaint against GCHQ regarding allegations that the British intelligence agency broke into their networks to conduct surveillance. The complaint filed with the Investigatory Powers Tribunal calls for GCHQ to stop targeting system administrators to gain access to networks. The complaint was prompted by reports that GCHQ had targeted employees of Belgacom to gain access to the telecommunications company’s network. They were allegedly targeted not because they posed any sort of security threat, but because they were administrators for a network that intelligence wanted to infiltrate. [WIRED]

WW – Naked Selfies Extracted From ‘Factory Reset’ Phones

Thousands of pictures including “naked selfies” have been extracted from factory-wiped phones by a Czech Republic-based security firm. The firm, called Avast, used publicly available forensic security tools to extract the images from second-hand phones bought on eBay. Other data extracted included emails, text messages and Google searches. Experts have warned that the only way to completely delete data is to “destroy your phone”. Most smartphones come with a “factory reset” option, which is designed to wipe and reset the device, returning it to its original system state. However, Avast has discovered that some older smartphones only erase the indexing of the data and not the data itself, which means pictures, emails and text messages can be recovered relatively easily by using standard forensic tools that anyone can buy and download. The company claims that of 40,000 stored photos extracted from 20 phones purchased from eBay, more than 750 were of women in various stages of undress, along with 250 selfies of “what appears to be the previous owner’s manhood”. There was an additional 1,500 family photos of children, 1,000 Google searches, 750 emails and text messages and 250 contact names and email addresses. The company said: “Deleting files from your Android phone before selling it or giving it away is not enough. You need to overwrite your files, making them irretrievable.” [BBC News] [Android’s phone wiping fails to delete personal data]

US Government Programs

US – Placing Faces and Naming Names in New NSA Leak

The latest leaks from Edward Snowden identify five specific Muslim-Americans targeted by the NSA and the FBI and prompting a number of privacy advocates to call for reforms to the Foreign Intelligence Surveillance Act (FISA). The five “targets,” named by reporter Glenn Greenwald and Murtaza Hussain, were part of an NSA spreadsheet “in the Snowden archives called ‘FISA recap.’” The 7,485 e-mails on the list were monitored between 2002 and 2008. Wired interviewed Greenwald about the leak and why it matters. ProPublica reports that users who downloaded the Tor browser in 2011 were also targeted by the NSA. [The Intercept]

US Legislation

US – Senate Committee Approves CISA Despite Privacy Fears

In a 12-3 vote, the US Senate Intelligence Committee has approved the Cybersecurity Information Sharing Act (CISA). The bill aims to improve data sharing between the government and private sector to help protect systems from attacks. The bill provides liability protection for private companies that monitor their own networks and that share information. Following its introduction last month, the bill was heavily criticized by privacy advocates who took issue with CISA’s broad definitions, lack of Department of Homeland Security oversight and inadequate minimization techniques to protect U.S. citizens’ privacy. Compounding the concerns are the Snowden revelations, indicating the government’s willingness to circumvent law in the name of surveillance. Despite such concerns, the committee approved the bill by a vote of 12 to three. [Tech Crunch] [Forbes] [ComputerWorld] [Analysis of Feinstein-Chambliss Cybersecurity Information Sharing Act of 2014 Discussion Draft – Center for Democracy & Technology] and [Letter to the United States Senate Regarding the Cybersecurity Information Sharing Act of 2014 – American Civil Liberties Untion, et al.]

US – SB 806 – Educational Longitudinal Data System Changes – North Carolina

Senate Bill 806, Educational Longitudinal Data System Changes, if passed, would require the state board of education to create an inventory of the individual student data proposed to be accessible in the North Carolina Longitudinal Data System and required to be reported by state and federal education mandates; direct access to data will be restricted to authorized staff of the Board, only de-identified data may used in the analysis, research, and reporting conducted by the system, and individual or personally identifiable data accessed through the system may not be a public record. [Bill 806]

US – Florida Info Protection Act of 2014 in Effect; Regulator Notification Required

Effective July 1, 2014, Florida has repealed its existing data breach law in favor of a new, more stringent, law. Florida has joined the list of states requiring notice to regulators: specifically, an entity must notify the Department of Legal Affairs of any breach affecting 500 or more Florida residents as soon as possible, but no later than 30 days after determining that a breach has occurred or having reason to believe that a breach has occurred. The new law also specifies the content of that notification (e.g., description of the breach, number of Florida residents affected, services offered to individuals, copy of the notice to be provided to the individual, and contact person to field questions regarding the breach). Florida also has expanded the definition of personal information. Under the prior law, Florida had defined personal information to include name plus a social security number, a driver’s license (or other government identification number), or certain financial account information. The new Florida law also includes the following in the definition of personal information: (1) name plus an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual; and (2) user name or email address, plus a password or answer to security question that would enable access to an online account. [lexology]

US – Voters to Decide Privacy Measure Aug. 5

A ballot measure protecting Missourians’ privacy that went through the Missouri Senate with overwhelming support (31-1) and also passed the Missouri House by a vote of 114-28 will be put before the voters Aug. 5. SJR 27, the legislation passed in order to get the proposed constitutional amendment on the ballot, was sponsored in the Senate by Sen. Robert Schaaf (R-St. Joseph) and handled in the House by Rep. Paul Curtman (R-Pacific). Curtman said this is a bill he thinks revolves around people’s “reasonable expectations to privacy” guaranteed in both the U.S. Constitution and the Missouri Constitution. He said writers of these documents had never seen electronic communications or the sending of data, but the same principle of having reasonable expectations to privacy would apply. “SJR27 is a necessary addition to our state constitution,” he said. “It will ensure that modern communications (electronic and data) as well as traditional communications are protected from unwarranted search and seizure.”[Source]

Workplace Privacy

US – Customs Under Fire for Sweeping Scans of Employees’ Personal Data

A troubled division of Customs and Border Protection whose leader was recently ousted by the Obama administration is now accused of improperly scrutinizing the personal information of the agency’s 60,000 employees for evidence of potential misconduct and corruption. In one program, the agency’s internal affairs division shared employees’ Social Security numbers with the FBI, looking for possible criminal leads. The program is no longer operating and is under review by the Department of Homeland Security’s inspector general, according to three federal officials with knowledge of the inquiry. In another effort, the division automatically scanned the Social Security numbers of all the agency’s employees in a Treasury Department financial records database, said the officials, who spoke only on the condition of anonymity because of the sensitivity of the matter. The Treasury Department halted the daily monitoring in April over questions about whether it violated federal policies. The programs were inspired by the Obama administration’s Insider Threat initiative, a governmentwide crackdown on security threats that relies on profiling federal workers for certain behaviors. While such data-sharing efforts didn’t appear to be illegal, they might infringe on the privacy rights of federal employees.[mcclatchydc.com]

US – Survey: Employers Nervous About Workplace Privacy

A recent survey indicates workplace privacy is a growing area of concern as companies increasingly shift toward new technology policies and widespread data breaches persist. According to the Littler 2014 Executive Employer Survey of more than 500 in-house C-suite executives, avoiding workplace and data security breaches was the top concern related to workplace privacy, while safeguarding customer and corporate data without unlawfully accessing employee information was a close second. Phil Gordon of Littler Mendelson said it’s interesting that the monitoring of employees’ personal social media activity was low on the priority list despite the proliferation of state laws on the matter. [HR.BLR.com] See also: [IAPP Workplace Privacy Resources]

US – CBP Accused of Snooping on Employees

A division of U.S. Customs and Border Protection (CBP) is under review by the Department of Homeland Security’s inspector general for potentially improperly scrutinizing the personal information of the agency’s 60,000 employees. The internal affairs division shared employees’ Social Security numbers with the FBI in an effort to find potential misconduct and corruption, the report states, and in another instance, the division “scanned the Social Security numbers of all the agency’s employees in a Treasury Department financial records database.” Although the actions weren’t technically illegal, they may infringe on employees’ privacy rights, the report states. CBP’s actions are “pushing the legal envelope,” said one privacy attorney. [McClatchy]

CA – Right to Fire Civil Servant for Abusing Internet, Privacy Breach: Tribunal

A labour relations tribunal has upheld the firing of a civil servant who used his government computer to indulge his car obsession, complain about his job, store electronic music files, and attempt to cheat on staffing competitions. In a recent decision, the Public Service Labour Relations Board said the government had just cause to fire Marc Gravelle, a human resources assistant in the Department of Justice, in July 2011. Gravelle had argued that the government did not prove its case against him and that his abrupt dismissal ignored the principle of progressive discipline. Adjudicator Renaud Paquet, however, concluded that Gravelle had severed the bond of trust that must exist between the government and one of its employees. [Ottawa Citizen ]

EU – Data Protection Authority Opinion on Location Tracking in the Workplace

A Finnish employer’s tracking of an employee’s location (e.g. GPS monitoring of a vehicle) falls under the Personal Data Act, the workplace Data Protection Act 759/2004 and the Electronic Communications Privacy Act; such monitoring may be conducted only for justifiable and specific circumstances pursuant to the employment relationship, after a hearing of employees’ concerns and by using a prescribed statutory cooperation procedure (which includes written operating rules), and with detailed notice to employees, and employees must be able to turn off the tracking during non-working hours. [Source]

+++

01-15 August 2014

Biometrics

US – Facial Recognition Leads Feds to Fugitive After 14 years

A cold case comes back to life after facial recognition software recognizes an alleged US outlaw who’d been hiding out in Nepal. In 2000, after being accused of child sex abuse and kidnapping in New Mexico, Neil Stammer skipped town and went underground. Fourteen years later he was arrested in Nepal. How did the authorities catch this fugitive? Facial recognition technology. [C|Net]

Big Data

US – FTC to Consider Data Collection’s Impact on Low-Income Consumers

The FTC will host its “Big Data: A Tool for Inclusion or Exclusion” workshop in Washington, DC, on September 15. The workshop will look at the ways advancing technologies are increasingly collecting data for commercial purposes and the impact that has on consumers, including low-income and underserved individuals. Panel discussions will assess the current environment, look at what’s on the horizon, survey the legal landscape and map the path forward. [FTC Announcement and Agenda] [NYT Debate: Does Big Data Spread Inequality?]

US – Disagreement Among Tech Giants on Comprehensive Privacy Legislation

Stakeholders from industry to advocacy to regulators have submitted comments to the National Telecommunications and Information Administration (NTIA) on how the U.S. government should protect consumers in the era of big data. On one side, some urge President Barack Obama to initiate strong legislation for data collection while others say industry can self-regulate. Microsoft is calling on Congress to enact “strong, comprehensive privacy legislation,” noting that although big data “holds great promise for technology, for the economy and for the people,” such legislation “can and should be part of unlocking that promise.” On the other side, the Internet Association—which represents Google, Facebook and Yahoo, among others—advocated for “a flexible and balanced self-regulatory responsible use framework.” The NTIA has compiled a complete list of comments. [The Hill] See also: [NYT: As Data Overflows Online, Researchers Grapple With Ethics]

US – Advocates: Self-Regulation Isn’t Working; We Need a Law

A coalition of advocacy groups are reiterating the call for a privacy “bill of rights” that would limit marketers’ ability to collect or use individuals’ data. The organizations, which include the ACLU, the Center for Digital Democracy, Consumer Action, Consumer Watchdog and Common Sense Media, submitted the comments in response to the National Telecommunications and Information Administration’s request for opinions on how to balance privacy principles with the value that data collection can bring. “Industry self-regulation is not enough and has failed to inform or protect consumers,” said the groups last week. [MediaPost]

US – Berkman Releases Paper on Privacy in Longitudinal Studies

Long-term longitudinal research studies often collect highly specific and sensitive data about individuals. The benefits are in the ability to link sets of behaviors in specific people, but that is also where the danger lies: It’s difficult to keep those individuals from being identifiable from their unique traits. In the first in a series of reports based on the “Integrating Approaches to Privacy Across the Research Data Lifecycle” workshop held by the Privacy Tools for Sharing Research Data project at Harvard University last year, Harvard’s Berkman Center provides an overview of the long-term longitudinal study use case. It describes the disclosure risks as well as common legal and technical approaches for managing confidentiality and identifies “urgent problems” for privacy in the research environment. [Source]

US – Exploring the Privacy Paradox

Chris Hoofnagle explores the phenomenon known as the “privacy paradox,” where privacy concerns do not relate to people’s behavior. “The privacy paradox is a major problem for consumer advocates. It suggests that advocates are out of touch with average consumers and that government should not intervene in privacy because individuals really do not care about it,” he writes. Examining the book, Exit, Voice, and Loyalty, he suggests if the privacy paradox “is understood with the impoverished view that only exit matters, we will misinterpret individuals’ actions and policy-makers can buy into narratives that people are hypocrites who do not really care about privacy. If we consider voice, attitudes and action may not be in conflict.” [Source]

US – Commissioner Talks FIPPs, Big Data; LabMD Seeks Sanction for FTC

Federal Trade Commissioner Maureen Ohlhausen sent a letter to the National Telecommunications and Information Administration this week on the tension between privacy advocates’ push for officials to support Fair Information Practice Principles (FIPPs) limiting companies’ ability to collect, retain and use data and the potential value to be gained from maximizing the benefits of big data. While FIPPs call for companies to explain to consumers why data is being used and to gain their consent, big data can yield insights unforeseen at the time of collection. Ohlhausen called for strategies such as de-identification to bridge the gap. Meanwhile, LabMD has asked a judge to sanction the FTC for allegedly having a secretive relationship with the source of a key piece of evidence in the data breach case against the company [MediaPost]

Canada

CA – CSEC Won’t Say How Long It Keeps Canadians’ Private Data

The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy. The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail. [Source]

CA – Police Record Checks Under Scrutiny In Ontario

The disclosure of non-conviction information on police record checks costs many people educational and job opportunities in this province. But steps are being taken to ensure innocence is presumed until proven guilty. Police services across the province are evaluating what they disclose on record checks. They’re debating whether they should end the practice of noting how many times a person has had contact with police. The Ontario Association of Chiefs of Police recently revised its voluntary record check guidelines to limit the practice. Brian Beamish, the acting information and privacy commissioner for Ontario, called the recommendation a step in the right direction. But Beamish said he’d like the reporting of non-conviction information eliminated from police records altogether. “I think it points to the need to have some kind of provincial standard,” he said. “So that this is no longer a voluntary process for police services that they have a standard that they have to guide their actions by. It needs the force of law.” The Canadian Civil Liberties Association is currently in talks with the provincial government to create that legislation. Association spokesperson Abby Deshman said she wants to see all police services adopt the guidelines. [Source]

CA – Should Your Home’s Selling Price Be Public Information?

The selling prices of homes are currently the property of real estate boards. Should they be forced to share it with the public? If you’re in the market for a house and know what other houses in the area are selling for, would that help you to make an offer? This question is at the heart of the lengthy proceedings between the Competition Bureau and the Toronto Real Estate Board (TREB). The Bureau wants anyone to have access to the Multiple Listing Service (MLS) owned by real estate board. TREB says the information is private. In a Supreme Court of Canada decision given last week, the parties were basically told to keep fighting.[Source]

Consumer

US – Whitepaper Measures Whether Consumers Are “Getting the Message”

The Lares Institute has released whitepaper on whether consumers are “getting the message” about steps they can take to protect their own privacy. The FTC has suggested, for example, that individuals know who they share their information with; store and dispose of sensitive data securely; ask questions before deciding to share personal data, and maintain appropriate security on electronic devices. The paper is based on data from multiple years of surveys that asked consumers questions about their own privacy-protective behavior, such as whether they carry their Social Security cards in their wallets, shred documents that include personal information or use antivirus programs. [Source]

US – Poll: Consumers Concerned About In-Store Tracking

A new survey reveals that a majority of retail consumers are concerned in-store tracking invades their privacy. According to the PunchTab survey, brick-and-mortar retailers need to overcome consumer perceptions about whether in-store communications from tracking provide useful information. Merely 27% of respondents would allow in-store tracking for deals and relevant messaging, while 50% were not open to tracking at all, citing privacy as their biggest concern. However, providing discounted prices, coupons and shorter checkout times were found to be acceptable uses of in-store tracking. [eMarketer]

UK – Beacon Deployment Hampered by Consumer Privacy Concerns

Companies like Lord & Taylor and Hillshire Brands indicate they’re seeing positive early results from the rollout of Bluetooth technology location-tracking beacons to enhance services and boost sales. A new report by Forrester analyst Adam Silverman suggests “beacons will succeed where Wi-Fi, near-field communication and other location-focused technologies have failed,” largely because it is an opt-in location-tracking solution. But privacy remains a major barrier to the use of such technology: Forrester’s research indicates 56% of customers overall aren’t comfortable sharing their in-store location with retailers. Given an offer or discount, 41% are still uncomfortable. [MediaPost]

EU – 3rd Party Data Must Be ‘Properly Sourced, Permissioned and Cleaned’ for Use in Direct Marketing Under New Industry Code

Companies buying personal data from third parties to use in direct marketing campaigns must “satisfy themselves” that data was “properly sourced, permissioned and cleaned”, according to a new industry code developed by the Direct Marketing Association (DMA). [Out-Law] [The new DMA code (12-page / 321KB PDF)] BACKGROUND: [Reding: US authorities wrong to ask Microsoft directly to hand over customer data stored in the EU 02 Jul 2014] | [Apple and Cisco back Microsoft challenge to US data search powers 17 Jun 2014] | [US search powers extend to data stored on foreign servers, rules judge 30 Apr 2014] | [Microsoft commits to offer non-US storage of data 24 Jan 2014]

UK – Information Commish Concerned About Data Security in Legal Profession

The UK Information Commissioner’s Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients’ data would face fines of up to GBP 500,000 (US $840,000). [Source]

E-Government

UK – Government to Unveil New Personal Data Sharing Plans

Plans to allow personal data stored on different public sector databases to be aggregated could be unveiled by the UK government later this year. Under the plans being considered, “all bodies providing public services” could be given greater freedom to share the personal data they store to “improve outcomes in health, education or employment”, according to a report by the Daily Telegraph. According to the paper, individuals might not be asked whether they consent to the sharing of their data. The white paper to be published will also contain plans to enable greater sharing of anonymised data by public sector bodies, the Telegraph reported. [Out-Law]

WW – Twitter Says Governments Asking for More User Data than Ever

Twitter said government requests for user data grew sharply in the past six months as more countries asked for a greater amount of information about users. More than half of the requests came from the United States, as has been the case since Twitter began issuing its “transparency report” in 2012. Typically, the requests are part of criminal investigations. San Francisco-based Twitter Inc. said in a blog post Thursday that it received 2,058 requests from 54 countries in the first six months of the year, including from eight countries that had not previously submitted requests. Twitter produced at least “some information” that the governments asked for in 52% of cases worldwide and in 72% of requests coming from the U.S. [CBS News] SEE ALSO: [Twitter vows to “improve our policies” after Robin Williams’ daughter is bullied off the network]

WW – White Paper Examines Gov’t Access to Data in the U.S. and Latin America

Hogan Lovells has published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined. [Hogan Lovells] See other papers in this series: [A Global Reality: Governmental Access to Data in the Cloud comparing government access in the United States, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom] | [Individual Rights to Challenge Government Access to Data in the Cloud, comparing the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia] | [An Analysis of Service Provider Transparency Reports on Government Requests for Data, comparing the number of government access requests to Cloud service providers who have published those numbers]; and [A Sober Look at National Security Access to Data in the Cloud, comparing the mechanisms international governments can use to access sensitive foreign intelligence information]

E-Mail

US – Justice Dept. Gets Involved in Microsoft Email Privacy Case

The next chapter in the Microsoft email privacy case has unfolded as the U.S. Department of Justice has asked a New York court to vacate a stay on an order that would compel Microsoft to turn over to the U.S. government certain emails currently being held on servers in Dublin, Ireland. Microsoft had asked for the stay to pursue an appeal, but may now have to refuse to comply with the order if the court follows the DoJ’s lead. If the company refuses the order, then the New York court is requested to issue “a contempt order that would, in turn, be a properly appealable final order, which could be stayed on consent pending appeal.” The European Commission, last week, expressed concern about the case. [PC World] See also: [Out-Law: Microsoft Launches Further Appeal Over US Ruling to Hand Over Emails Stored In the EU]

US – Judge: Path May Appeal Text-Spam Ruling

Path has been authorized to appeal a ruling in a text-spam case. Northern District of Illinois Judge Manish Shah said, “An immediate appeal may materially advance the ultimate termination of the litigation.” The 2013 lawsuit, which seeks class-action status, alleges Path sent Kevin Sterk a text message saying that his friend, a Path user, wanted to share photos with him and contained a link to a Path registration page. Sterk argues Path violated the Telephone Consumer Protection Act by sending him an automatic message. Shah said, “The course of the litigation depends on the interpretation of automatic telephone dialing system.” [MediaPost] See also: [US: Enforcing The Canada Anti-Spam Legislation (CASL) Against U.S. Companies]

US – Yahoo Must Face Email Scanning Suit; Google Beats Privacy Suit

Yahoo has been ordered by a federal judge to face a privacy class-action alleging it scanned its users’ emails for targeted advertising. U.S. District Judge Lucy H. Koh did grant the company’s request to throw out a federal wiretap allegation as well as throw out claims that Yahoo did not properly disclose it would collect and store users’ content for future use, the report states. However, Koh ruled she will permit the suit to move forward under a different wiretap claim alleging the company may have illegally shared content between Yahoo and non-Yahoo users. Meanwhile, a California federal judge has dismissed a putative class-action against Google that alleged the company violated a contract with users by giving their private data to third-party app developers. [Bloomberg]

WW – Unsubscribing from Annoying E-Mails Just Got Easier For Gmail Users

Have you ever got frustrated trying to find the “unsubscribe” link at the bottom of promotional e-mails? Google just made it a lot easier. In a change announced Wednesday in a Google+ post, Gmail users will now find the unsubscribe button at the top of those newsletters and promotional e-mails. The new feature will display the unsubscribe link right next to the sender’s e-mail address. The feature relies on the existing filtering system used in Gmail’s Inbox tabs that categorizes social, promotional, updates and forum e-mails. It will only work for e-mails that include an unsubscribe link within them. [Source] See also: [‘Google Glass on your windshield’ lets you check your phone with eyes on the road]

Electronic Records

US – California’s Ahead of the E-Health Game, But Breach Concerns Persist

California’s Cal Index system will transition one in four state residents to electronic health records by the end of the year thanks to a partnership between Blue Shield and Anthem Blue Cross. The system will be the biggest health information network anywhere in the U.S. and aims to make for faster and better healthcare. However, some opponents are concerned about the potential for data breaches while others don’t like the idea of their medical information being readily available. [Southern California Public Radio].

US – Court Rules In Favor of Providing Officials Access to Entire Email Account

A Judge in Columbia ruled that providing law enforcement with access to an entire email account in an investigation did not violate the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property. The order by Chief Judge Richard W. Roberts of the U.S. District Court for the District of Colombia reversed an earlier decision by Magistrate Judge John M. Facciola who refused to allow a two-step procedure whereby law enforcement is provided all emails relating to a target account, and is then allowed to examine the emails at a separate location to identify evidence. The striking down of Judge Facciola’s ruling will likely fuel the privacy debate in the country. A New York judge defended last month his order that gave the government access to all content of the Gmail account of a target in a money laundering investigation. [Source] See also: [Judge orders destruction of residential school documents after 15-year holding period]

Encryption

US – Breach Index: Encryption Used in only 4% of Q2 Incidents

Last quarter, organizations that reported data breaches only used encryption around four percent of the time to further safeguard data, a report found. [SC Magazine] See also: [US: No noise is good noise, Cary police say of plan to encrypt radio traffic]

WW – Google Rewarding HTTPS Sites with Higher Search Rankings

Google says it is giving sites that use HTTPS a slightly higher ranking in Internet searches in an effort to stimulate further adoption of the protocol. In tests, Google has found HTTPS yields positive results as a ranking signal, though for now it carries less weight than such signals as high-quality content, according to two Google webmasters. Over time, “we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” Meanwhile, Yahoo said yesterday it will join Google’s efforts to create a secure email system that could make it nearly impossible for hackers or governments to read users’ email. [ZDNet]

EU Developments

UK – Cyber Security Body Warns of IT Security Flaws, Risks Posed by Malware

Weak passwords and unpatched software is enabling hackers to use organisations’ own servers as the hosts of cyber attacks, the UK’s National Computer Emergency Response Team (CERT-UK) said. [Out-Law] [CERT-UK’s quarterly report (20-page / 1.26MB PDF)]

UK – Government to Unveil New Personal Data Sharing Plans

Plans to allow personal data stored on different public sector databases to be aggregated could be unveiled by the UK government later this year. [Out-Law] [The Telegraph’s report] UK ministers plan to “link up thousands of state databases used by schools, councils, police and civil servants, “which is expected to bring privacy concerns. The Irish Department of Public Expenditure and Reform launched a public consultation on the planned Data Sharing and Governance Bill, which deals with data sharing between public-sector agencies.

Facts & Stats

WW – Infographic for More Compelling Big Data statistics

Did you know that 90% of the world’s data was created in the last two years? And that 80% of data today is unstructured? like these in an easy to consume graphic deliverable. [GCN]

Finance

CA – Women File Suit Over FATCA

Two Ontario women allege “Canada has violated the charter rights of nearly a million Canadians by agreeing to share their financial details with authorities in the United States,” in a lawsuit launched against the Attorney General of Canada. The suit alleges Ottawa breached Canada’s constitution by complying with the U.S. Foreign Account Tax Compliance Act. Attorney David Gruber said, “The non-U.S. person would presumably not have any potential liability to the U.S., but nevertheless, they would have the intrusion of their privacy.” He said the case argues Canada’s government has breached the Charter of Rights and Freedoms. [The Canadian Press] [Marni Soupcoff: Ottawa is violating Canadians’ constitutional rights to help the U.S. collect taxes]

FOI

UK – FOI Requests in Particular Formats Must Be Adhered To: Court of Appeal

Public bodies must generally adhere to individuals’ requests for information to be provided in a specific electronic format under freedom of information (FOI) laws, the Court of Appeal in London has ruled.

[Out-Law] [The Court of Appeal judgment (22-page / 413KB PDF)]

UK – Evidence During FOI Disputes Can Be Provided in Secret: Court of Appeal

Public bodies defending a decision to withhold information requested under freedom of information (FOI) laws can submit evidence to an information rights tribunal in secret, the Court of Appeal has ruled. [Out-Law]

US – Snowden Isn’t the Only NSA Whistleblower

A former State Department official in April filed a whistleblower complaint arguing National Security Agency (NSA) data collection practices violate Americans’ Fourth Amendment rights. John Napier Tye had top-secret clearance and worked on Internet freedom issues. He knew the Obama administration was considering a proposal that an internal White House document said represented “significant changes” for handling Americans’ data collected by the NSA from fiber-optic networks abroad, unbeknownst to Congress or the American people. Meanwhile, Wired sat down with Edward Snowden in a hotel room in Moscow to discuss his ordeal over the last year. [The New York Times]

UK – FOI response times not good enough in Scotland, says watchdog

Many public authorities in Scotland are failing to respond quickly enough to requests for information, the Scottish Information Commissioner’s Office (SICO) has said. [Out-Law]

Health / Medical

US – White House Offers Agencies Security, Privacy Tips

Learning from mistakes made during last year’s rollout of Healthcare.gov, the Obama administration has announced it is offering other federal agencies help—including a focus on privacy and security—for their own IT rollouts. Part of the White House’s latest efforts stem from the newly created U.S. Digital Service, an elite team of technology experts (“the country’s brightest talent”) designed to work with federal agencies “to remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government.” Additionally, the administration is offering a “Digital Services Playbook“ to provide best practices for building digital services, which includes “managing security and privacy through reusable processes.” [GovInfoSecurity]

US – Insurance Giants Creating Massive Database of Patient Records

The benefits could prove useful in emergency rooms, where doctors would be able to review patients’ histories instantly. It’s expected to go online by the end of the year. Insurers say the new system, called Cal Index, will help save money be reducing repetitive tests and procedures. Anthem and Blue Shield are providing $80 million in seed money to start the nonprofit database, with the hope it ultimately will survive on subscriptions paid by health providers. Technological challenges have caused previous attempts to fail. Patient privacy is another concern, said Pam Dixon, executive director of the World Privacy Forum. People who suffer from rare diseases, domestic-abuse victims and others are often concerned about keeping their records private, Dixon said. [LA Times]

WW – Apple HealthKit Aims to Centralize Health Data

Apple has been working out how its HealthKit will integrate with a number of healthcare providers and aims to centrally locate health data generated from thousands of third-party health apps for its users. Expected to be released next month as part of the company’s iPhone 6, HealthKit will need to navigate the web of privacy regulations under HIPAA. Joy Pritts, who recently served as chief privacy officer for the Office of the National Coordinator for Healthcare IT, said Apple may need to reassess its responsibility to protect data with each new partnership—meaning a partnership with a wearable tracking company would not be subject to HIPAA but one with a clinic would. [Reuters]

NZ – Report Slams Medical Privacy

A damning Privacy Commission review shows snooping doctors, nurses and even admin workers can access patients’ most personal medical records. The Office of the Privacy Commissioner identified significant flaws in the security and regulation of three shared care record (SCR) portals used by a number of district health boards. A draft review leaked to the Sunday Star-Times has major concerns about all three portals, noting they need to be “more demanding” of patient security with none of the reviewed SCRs able to provide a compelling picture of how access was audited. There was also a concern health information was being electronically recorded and monitored without patient knowledge. [Source] See also: [AU — AUS: Concerns over PCEHR survey privacy quelled]

US – Your Baby’s Cute, But No More Pics on the Doc’s Wall

For generations, doctors have proudly displayed in their offices pictures of the babies they’ve delivered. But that’s a practice patients will see less and less. “I’ve had patients ask me, ‘Where’s your baby board’,” said Columbia University Medical Center’s Mark Sauer. “We just tell them the truth, which is that we no longer post them because of concerns over privacy.” Under the Health Insurance Portability and Accountability Act (HIPAA), baby photos are protected health information. Meanwhile, in a separate report, Khaled El Emam and Scot Ganow discuss the best methods of protecting patient privacy and data de-identification under HIPAA. [The Boston Globe]

Horror Stories

WW – Security Firm Says Russian Gang Amassed 1.2 Billion Passwords

A security firm has discovered a collection of stolen passwords, usernames and email addresses has been amassed by a ring of Russian hackers. According to Hold Security, the collection includes 1.2 billion username and password combinations and more than 500 million email addresses. The company will not disclose the victims due to “nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable,” according to the report. The firm’s CEO said the hackers not only targeted Fortune 500 companies but small websites as well. Meanwhile, Target has announced it will book $148 million in expenses in its second quarter results stemming from last year’s massive data breach. [The New York Times] SEE ALSO: [Krebs: Q&A on the Reported Theft of 1.2B Email Accounts] and [Vast majority of hackers believe they’re above the law — survey]

US – Suit Alleges Hospital’s Lack of Procedures Led to Breach

Two Ohio women have filed a lawsuit alleging their privacy was violated when employees at Kettering Health Network accessed their health information. Vicki Sheldon says her ex-husband Duane Sheldon, who worked in an administrative position at the hospital, accessed her files and those of her daughter. In subsequent months, other people accessed her records, she says, and the health network didn’t have the appropriate procedures in place to protect them. An attorney for Duane Sheldon, who is also named in the suit, said the claims are inaccurate. [2News] See also: [PR Expert on Commonly Made Breach Response Mistakes] see also: [WSJ: An Argument for Not Disclosing Breaches]

US – Bank, Hospital Report Data Breaches

A Florida-based bank is alerting approximately 72,500 customers of a data breach involving personal information that may include account balances, personal identification numbers and Social Security numbers. An unauthorized third party accessed the TotalBank network. Meanwhile, Jersey City Medical Center says an unencrypted computer disk containing patient information from 2011 was lost when a package sent through the mail failed to arrive. Letters are being sent to the affected patients, although there’s no evidence to suggest the lost information has been made available to unauthorized parties or used in nefarious ways. [TweakTown] See also: [AU – Hospital kills off 200 patients by mistake] and [BC: 1,628 patients at Kamloops hospital had privacy breached]

US – Judge Rules on Portal Case; Paddy Power Breach Examined

A U.S. federal judge has ruled that Travelers Indemnity Co. of America must defend Portal Healthcare Solutions against class allegations that it posted confidential medical records online, ruling Travelers’ policy covers electronic publication of private information [Law360]. Meanwhile, a Canadian man found himself faced with a convoy of forensics experts and representatives from recently breached Irish company Paddy Power, holding court documents and subsequently seizing a hard drive and other equipment from his basement, after he sold data that had initially been stolen from the company in a 2010 hacking. [Irish Times] see also: [DHS contractor suffers major computer breach, officials say]

US – Advocates Want Google Settlement Quashed

A coalition of privacy groups is urging the FTC to ask a California judge to reject Google’s $8.5 million class-action settlement, alleging the company illegally divulged search information. The group says the FTC’s involvement is necessary in order to “quash the unfair and ineffective deal,” the report states. Meanwhile, the FTC has responded to a letter from the Electronic Privacy Information Center urging it to oppose the settlement, saying it “systematically monitors compliance” with its consumer protection orders and “takes alleged violation(s) of an order seriously” but cannot disclose details of investigations before a formal complaint is issued. [Law360]

WW – Mozilla Developer Network Info Accidentally Exposed

The Mozilla Foundation has apologized following an incident where “tens of thousands of email addresses and encrypted passwords” were accidentally exposed. The email addresses, which belonged to about 76,000 Mozilla Developer Network members, were exposed on a public server for a month, the report states, noting some 4,000 encrypted passwords were also exposed. “We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you,” two Mozilla spokesmen wrote, adding that while the encrypted passwords cannot be used to access the site, anyone who reused a password on another site should change it. [IT News]

Identity Issues

EU – Survey Reveals Business Attitudes to ‘Bring Your Own Identity’ Potential

Allowing customers to use an “existing digital or social identity” to access applications can help organisations deliver simple and secure services to customers, according to a new survey. [Out-Law] [The Ponemon report into BYOID attitudes (registration required)]

US – Inspector General Finds Risks with ONC’s Certification Process

In a report released this month, the Department of Health and Human Services Office of Inspector General concluded that the Office of the National Coordinator (ONC) for Health Information Technology “essentially has an insufficient compliance program to maintain the privacy and security of the protected health information hosted by electronic health records (EHRs).” The report found the ONC’s oversight of authorized testing and certification bodies (ATCBs) did not ensure they developed procedures to “periodically evaluate whether certified EHRs continued to meet federal standards” and developed a training program “to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive EHR information.” [Med Law Blog]

Intellectual Property

WW – In Three Days, Facebook Class-Action Gains 11,000 Members

Days after the announcement by Europe v. Facebook’s Max Schrems on the filing of a class-action lawsuit “inviting adult noncommercial Facebook users located anywhere outside the U.S. and Canada to join in … (the) civil action has pulled in some 11,000 participants.” About 50% come from “German-speaking countries,” the report states, and a Europe v. Facebook spokesperson noted, “Reasonable numbers come from all European countries and South America.” The class-action is targeting what the group describes as “unlawful acts” by Facebook, including its alleged support of the U.S. NSA’s PRISM surveillance program and lack of “effective consent” for many uses of user data, the report states. [TechCrunch] Schrems is seeking 500 euros per Facebook user, and people can join the case by logging in with their Facebook credentials at www.fbclaim.com.

Internet / WWW

US – Man Launches Kickstarter Campaign to Live “A Year Without Privacy”

Noah Dyer calls himself an “anti-privacy” activist, and he’s seeking $300,000 in a Kickstarter campaign to fund a yearlong live-stream of his life. He calls the project, “A Year Without Privacy.” Dyer is a professor of mobile app and game programming at the University of Advancing Technology, and he believes government should be allowed to gather all data on its citizens, and likewise, the government itself should have no privacy. Meanwhile, an Internet privacy start-up has raised $100,000 in Kickstarter funding. The iCloak is a small USB device that thwarts companies’ attempts to track Internet browsing. [Source] see also: [Can Google be sued for a mere search suggestion? A Hong Kong judge says yes.]

Law Enforcement

US – Police Dept. Surveillance Potential Raises Concerns

Seattle’s police department still hasn’t released a draft policy on how it will use the surveillance cameras and communication nodes it installed as part of a federal port-security grant. Privacy and civil liberties advocates say the city must put a strong review process in place for the information collected via the surveillance cameras, smart meters and two aerial drones recently purchased with a Homeland Security grant. “We know that whenever these systems are put in place, they can be abused,” said a spokesman for the Seattle Privacy Coalition.. [Government Technology] See also: [Spy satellites fighting crime from space] and [Could drones get X-ray vision through Wi-Fi?] and [UK – Police want right to see medical records without consent]

US – FBI Using Drive-by Downloads to Catch Criminals

The FBI has been using drive-by downloads to identify people who visit certain suspicious websites. Specifically, the Justice Department is attempting to identify people who visit child pornography websites hiding in the Tor network. The tactic has paid off – more than a dozen people are now facing trial. However, critics say that the FBI has “glossed over the technique when describing it to judges” and has hidden its use from defendants. The FBI calls the method a network investigative technique (NIT) and has been using some form of it since 2002. There is also concern about mission creep, because the technology’s deployment has grown from targeted operations to a dragnet-like approach. Others are worried about weakening a technology useful to human rights and other activists. [WIRED]

Location

US – How Fast You Drive Might Reveal Exactly Where You are Going

Rutgers researchers have shown that GPS technology is not needed to show where a driver traveled. A starting point and the driver’s speed are enough. In our constantly connected, information-rich society, some drivers are jumping at the chance to let auto insurance companies monitor their driving habits in return for a handsome discount on their premiums. What these drivers may not know is that they could be revealing where they are driving, a privacy boundary that many would not consent to cross. A team of Rutgers University computer engineers has shown that even without a GPS device or other location-sensing technology, a driver could reveal where he or she traveled with no more information than a starting location and a steady stream of data that shows how fast the person was driving.[Source]

Offshore

AU – Data Retention Risks Private Information Leaking: Privacy Commissioner

Australia’s federal Privacy Commissioner says it remains “unclear” what information the Abbott government’s mandatory data retention proposal would require telecommunications companies to collect for law-enforcement purposes and has indicated that collecting the data increased “the risk of a data breach.” In a statement published on the Office of the Australian Information Commissioner’s website, commissioner Timothy Pilgrim said it was important there was “an opportunity for public consultation and debate” on the proposals once the detail was available. “At this stage, it is unclear exactly what type of information would be retained,” he said. “However, there is the potential for the retention of large amounts of data to contain or reveal a great deal of information about people’s private lives, and that this data could be considered ‘personal information’ under the Privacy Act.” [Sydney Morning Herald] see also: [Australian Government’s Data Retention Plan: Everything You Need To Know] [AU – The Australian Federal Cabinet has given its support, in principle, for a requirement that telecommunications companies retain certain undetermined customer data for up to two years for warrantless investigation by government agencies.

SK – Korea: New Korean Privacy Protection Law Set To Take Effect

A new personal information protection law is set to take effect this week, banning companies and website operators from collecting citizens’ resident registration numbers as the government steps up efforts to prevent identity theft, the home affairs ministry said. The law, which will go into effect on this week, comes after a series of recent personal data theft cases involving popular website operators as well as some credit card and financial companies. [Yonhap News] See also: [South Korea’s Personal Information Protection Act came into effect last week.] and [Concerns linger over the new South Korean law prohibiting public institutions and companies from collecting resident numbers]

Online Privacy

WW – Facebook Unveils Cross-Device Ad Reporting

Facebook has rolled out cross-device ad reporting to allow marketers to see how people are moving among devices, mobile apps and the web. For example, advertisers can see the number of customers who clicked on an iPhone ad but then later used a desktop. The reporting “relies on data from Facebook’s conversion pixel, a piece of tracking code used in conjunction with the social network’s software development kit, to get reports on which device someone saw an ad and eventually converted,” the report states. A recent analysis found that “among people who viewed a mobile Facebook ad in the U.S., nearly a third eventually clicked on the same ad on the desktop within 28 days.” [MediaPost]

WW – Google Acquires Chatting Service; Foursquare Releases Tracking Service

Google has acquired a start-up that offers an instant-messaging tool that also can monitor chats, infer what people are talking about and insert relevant links. A nearby café might pay for an ad to appear every time the word “coffee” appears in a user’s chat, for example. The service, called Emu, is part of a “much larger trend to monitor and thus profit” from such data, the report states. Meanwhile, Foursquare aims to boost its revenues by releasing a new version of its app that will function more like a “tracking machine.” [Wired] and [Google Street View Adds More Images of College Campuses]

EU – Wikipedia Fights RTBF; Auto-Complete Concerns Raised; Better Redress Sought for Cyber-Abuse

Online, open-sourced encyclopedia Wikipedia is countering Europe’s right-to-be-forgotten ruling by listing the articles the site has been asked to remove. Wikimedia Foundation Executive Director Lila Tretikov said, “Accurate search results are vanishing in Europe with no public explanation, no real proof, no judicial review and no appeals process.” That results, he said, in “an Internet riddled with memory holes …” Meanwhile, Google’s auto-complete function is being challenged in a Hong Kong court where a local businessman has been allowed to sue the company for what he views as negative suggestive terms in his search. Separately, University of Maryland Law Prof. Danielle Keats Citron, in a column for Slate, argues that a recent revenge porn lawsuit should prompt Facebook to improve how it deals with reports of abuse. [Reuters] and [The Internet Never Forgets: Google Inc.’S “Right To Be Forgotten” EU Ruling And Its Implications In Canada]

US – Federal Sites Working to Address “Canvas Fingerprinting”

The new online tracking tool “canvas fingerprinting“ has “latched onto” federal websites including those of the Department of Homeland Security, White House and Social Security Administration, according to research from Princeton and KU Leuven universities. The code for canvas fingerprinting comes from the AddThis widget, which is exploring the tool as an alternative to cookies. The agencies affected are looking for ways to address privacy concerns as they try to comply with privacy standards set by the Office of Management and Budget. The Transportation Security Administration plans to remove the AddThis widget from its site today, and the General Services Administration is reviewing its terms of service with AddThis. [FCW] [Canvas Fingerprinting and Why Website Operators Need to Take Control]

Other Jurisdictions

RU – Russian Government Bans Anonymous Wi-Fi

Russian Prime Minister Dmitry Medvedev has signed a decree prohibiting anonymous wireless Internet access. People using public wi-fi must provide identification before they are allowed to access the network. [The Register] [ZDNet] [CBC] see also: [Malta: Parents present Letter of Complaint opposing processing of student data] and [Chinese scientists develop mini-camera to scan crowds for potential suicide bombers] [The Turkish government has forwarded a data protection convention to the Turkish Grand National Assembly for ratification]

Privacy (US)

US – CDD Complaint Alleges Companies Are Breaking Safe Harbor Promises

A complaint filed with the FTC alleges at least 30 U.S. companies are “failing to provide” safeguards for European citizens promised under the Safe Harbor framework. The Center for Digital Democracy says Salesforce, Adobe, AOL and other companies are “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent … All of the companies, we believe, fall far short of the commitments they have made under the Safe Harbor.” [ZDNet] [Dozens of U.S. tech firms violate EU privacy promises] see also: [US – DEA Improperly Paid $854,460 for Amtrak Passenger Lists]

US – Facebook Gets Support from Industry, Advocates in NYDA Case

A number of major tech companies, the New York Civil Liberties Union and the ACLU have filed amicus briefs with the court in support of Facebook over its fight with the New York District Attorney’s Office (NYDA) over protecting consumer data from government investigations. The groups say warrants like the one that required Facebook to hand over user data for 381 users to the NYDA are problematic, especially when they are attached to gag orders preventing the company from disclosing the data-sharing to users. “Unless Facebook is able to assert its subscribers’ constitutional rights … the legality of the government’s actions with respect to those subscribers will escape review altogether,” the groups wrote. [The Verge]

US – Schumer Warns About Wearables: “Privacy Nightmare”

Sen. Chuck Schumer (D-NY) has expressed harsh criticism and concerns about potential privacy issues related to wearable fitness trackers. “Personal fitness bracelets and the data they collect on your health, sleep and location should be just that—personal,” he said. “The fact that private health data—rich enough to identify the user’s gait—is being gathered by applications like Fitbit and can then be sold to third parties without the user’s consent is a true privacy nightmare.” The senator called on the Federal Trade Commission to require businesses to notify users that fitness and location data are being sold to third parties and provide opt-outs. A Fitbit spokesperson said the company does not sell user data and is willing to “work with” Schumer. [Business Insider] See also: [QR codes find a warm reception in Anchorage Mausoleum] and [UBC research on eye-tracking devices sheds light on the implications of wearable technology like Google Glass] and [Wearable users tracked with Raspberry Pi]

US – Citizens Don’t Want to Trade Privacy for Nat’l Security, Lower Prices

A new survey reveals that 42% of U.S. citizens would give up their privacy for national security and only 25% of respondents were willing to do so for lower prices. Released by the Public Affairs Council (PAC), the survey also found Republicans less likely than Democrats to trade some privacy for national security. PAC President Doug Pinkham said, “If you value your privacy, everyone says yes (that they are against giving up any of their privacy), but life is about trade-offs of cost or convenience or some other issue.” [The Wall Street Journal]

Privacy Enhancing Technologies (PETs)

WW – Computer Scientists Developing Web-Tracking Alternative

EU-based computer scientists have been developing peer-to-peer technology that could serve as an alternative to current web-tracking practices. Researchers from Germany’s Saarland University and the Center for IT Security, Privacy and Accountability and Italy’s IMT Institute for Advanced Studies have created Privada, which collects behavioral metrics on visitors to websites but separates the various metrics and sends them to different third-party servers, preventing any centralized database. “It’s a bit like tearing a picture apart and giving pieces to friends,” said one student involved in the project, adding, “They can only see the whole image if they put their pieces together.” [The Sydney Morning Herald]

WW – What’s Happening with Dark Mail?

Ladar Levison, creator of the now defunct Lavabit encrypted email service, described the progress of his new project, which aims to revolutionize email. Speaking at DefCon, Levison said that he is unhappy that the communications environment is such that “we need a [military grade] cryptographic mail system … just to be able to talk to our friends and family without … fear of government surveillance.” Now known as DIME, for the Dark Internet Mail Environment, the project uses layered cryptography to provide one-click, end-to-end email encryption. Levison expects DIME to be running by early next year. [The Register] [CNET] [TIME]

RFID

EU – Tech Standards for ‘Smart Tags’ Developed With Data Protection in Mind

Businesses making use of ‘radio frequency identification’ (RFID) chips will be able to comply with EU data protection laws if they adhere to new standards for the chips that have been finalised, according to the European Commission. [Out-Law] [New RFID standards from CEN/TC 225 – AIDC technologies]

Security

US – NIST Cybersecurity Guidelines Just a Starting Point

The National Institute of Standards and Technology’s cybersecurity guidelines for utilities, banks and other industries serve as the baseline for what affected companies should be doing to protect their networks from attacks. Some companies have come together to develop additional recommendations while other companies have created their own policies, the report states. The Financial Services Information Sharing and Analysis Center’s Third-Party Software Security Working Group, which included members from major financial institutions, had been looking at the issues since 2012, for example. Neuberger Berman’s chief information security officer said good companies will develop their own policies that exceed any standard—which always addresses the minimum controls needed. [The Wall Street Journal] See also: [Privacy Is Serious Business At Black Hat Security Conference]

US – Registration Now Open for NIST Event

The National Institute of Standards and Technology (NIST) is holding its second Privacy Engineering Workshop September 15 and 16, collocated with the IAPP’s Privacy Academy and CSA Congress. The workshop will consider draft privacy engineering definitions and concepts and the results will “inform the development of the NIST report on privacy engineering.” You can find a draft agenda here. If you’d like to be a part of the discussion, you can now register, for free, to attend the event, which will be held at the San Jose Marriott, in San Jose, CA. [NIST Press Release]

US – NIST Updates Draft Security, Privacy Assessments Guide

The National Institute of Standards and Technology (NIST) has released for public comment a draft update of the primary guide for assessing security and privacy controls that safeguard federal information systems and networks. The deadline for public comment is September 26. “We have made some significant changes to our security control assessment guidelines to support continuous monitoring and ongoing authorization,” said NIST Fellow and Joint Task Force Project Leader Ron Ross. “These changes can lead to greater efficiencies and cost-effective testing and evaluation of our critical information systems and supporting infrastructure.” [NIST press release]

US – Companies Doing Business with DoD Brace for New Rules

Organizations that conduct business with the Department of Defense (DoD) will be facing new rules for reporting computer breaches, and some fear the rules could hurt small- to medium-sized businesses. The pending rule change is part of a DoD effort to better understand the scale of hacking and to ensure businesses processing classified data inform the Pentagon of cyber-attacks. TechAmerica’s Mike Hettinger said the changes have “the potential to become too onerous” if minor breaches must be reported. Hogan Lovells Partner Harriet Pearson said, “What it really means is any defense contractor who intends to be able to handle classified information needs to review and update their breach detection, response and reporting.” [Bloomberg] See also: [Expert: Cybersecurity, privacy and government policy must adapt to a changing, complex environment | Video]

WW – PCI Security Standards Council Releases Third-Party Security Guidance

The Payment Card Industry (PCI) Security Standards Council has released guidance “to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data,” according to a PCI press release. With more businesses using third-party operations, risk of security incidents increase, the report states, hence the guidance aims to “ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.” The “Third-Party Security Assurance Information Supplement“ has been informed by more than 160 organizations and includes recommendations to conduct due diligence and risk assessment, expectation-setting, appropriate third-party agreements and an ongoing monitoring process.

US – Most Companies Unsatisfied with Their Security Incident Response

A SANS study found that just nine percent of organizations believe that their response to security incidents is “highly effective.” More than a quarter of those responding said they were dissatisfied with their incident response. Among the impediments to effective response programs are lack of review and practice of response procedures, and insufficient budgets. [ZDNet]

US – Does It Matter That Wearables Often Have Bad Security?

As wearables proliferate—anything from medical devices to fitness trackers to infants’ onesies, all connected to the Internet—concerns about the security of the devices have consistently been raised. However, medical device manufacturers and the doctors who use them seem to be saying, “who cares?” One report notes that doctors can’t see why anyone would actually want to hack a pacemaker. Security experts call this “faith-based mismanagement.” Further, a pair of articles in CIO note that wearables are changing online privacy in significant ways and that it’s important to read privacy polices extensively before using such products. [IDG News Service] [NetworkWorld]

Smart Cards

CA – SecureKey to Launch New BC Services Card

Toronto-based SecureKey, a provider of organizations that deliver online consumer services, has announced that the Province of British Columbia (BC) is using SecureKey briidge.net Connect 3.0 as the foundation for the BC Services Card, the world’s first public sector Services Card for online authentication. The implementation also includes support from the world’s leading supplier of secure smart card microcontrollers, NXP Semiconductors. The BC Services Card replaces the existing provincial health CareCard and creates the foundation for multiple uses in the future. Citizens of British Columbia have the option of combining the BC Services Card with their driver’s license into a single, convenient card. It is envisioned that citizens will be able to use this card in the future for secure and private authentication to access in-person and online government services.[Government Security News Magazine]

Surveillance

US – How One City’s Video Surveillance System Got Hacked

Redlands, CA, employs a robust network of surveillance cameras to help law enforcement stymy drunk-driving, vandalism and other crimes, but the system was easily vulnerable to hacks. Two IT experts discovered the cameras were part of a mesh network but were not password-protected. The two were able to gain access to the police’s bird’s eye view of the city, creating a map of what the cameras watched—including the entrance to an adult movie store. A Redlands police commander said, “Our cameras only capture something happening in public view, so we weren’t incredibly concerned … But when we saw teasers for the presentation, we encrypted all the feeds out of an abundance of caution.” [Forbes] See also: [Halifax: City isn’t sure how many security cameras it has] and [About Those Facial Recognition Experiments at Your Nearest Music Festival] and also: [California PD Doesn’t Believe FAA Has Jurisdiction Over Its Drone Acquisition]

Telecom / TV

WW – Researchers Reveal Surveillance Capabilities in Phone Gyroscopes

The motion-detection capabilities in smartphones may have the potential to become a surreptitious eavesdropping sensor, according to researchers from Stanford University and Israeli defense research group Rafael. Gyroscopes help stabilize images for built-in cameras, aid in motion-based games and more, but the researchers also found they are sensitive enough to pick up on some sound waves, making them into rudimentary microphones. What’s more, apps do not need permission from a user to gain access to the gyroscope, the report states. One researcher noted it’s “quite dangerous to give direct access to the hardware like this without mitigating it in some way,” adding, “The point is that there’s acoustic information being leaked to the gyroscope.” [Wired]

US – FTC Approves iKeepSafe Under COPPA

The FTC has announced its approval of the Safe Harbor program of iKeepSafe, also known as the Internet Keep Safe Coalition, under COPPA. The application was approved in a 5-0 vote because of its compliance with the FTC’s COPPA rule, which requires online sites and services directed at children under the age of 13 to provide notice and obtain permission from parents before collecting personal information. The FTC said iKeepSafe provides “the same or greater protections for children” as those in the COPPA rule. [FTC]

US – California’s ‘Kill-Switch’ Bill Will Have Big Impact in U.S.

Legislation on California Gov. Jerry Brown’s desk, if signed, would require the sale of smart phones with a “kill switch” that could be activated by consumers if the devices are lost or stolen. Because of California’s immense size –12% of U.S. residents live in the state — the practical impact of the legislation could be the sale of smart phones with deactivation capabilities across the nation. California Senate Bill 962, which passed the Senate this week and the Assembly last week, would